AI Threat Alert

CVE-2024-37055: MLflow: RCE via pmdarima model deserialization

HIGH PoC AVAILABLE
Published June 4, 2024
CISO Take

Any MLflow deployment on v1.24.0+ is vulnerable to RCE if untrusted users can upload models. An attacker uploads a crafted pmdarima model; any user who loads it executes attacker-controlled code on their system. Patch immediately, restrict model upload permissions to verified users only, and audit your model registry for suspicious pmdarima artifacts.

What is the risk?

High risk for shared MLflow deployments. CVSS 8.8 with low attack complexity means exploitation is straightforward once model upload access is obtained. The User Interaction requirement is easily met in MLOps workflows where engineers routinely load models from shared registries. Organizations with open model registries, collaborative ML environments, or CI/CD pipelines that auto-evaluate models face the highest exposure. No privileges required to stage the attack reduces the barrier significantly.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 45% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: Upgrade MLflow to the latest version addressing this advisory per HiddenLayer's guidance.

  2. Access control: Restrict model upload permissions to authenticated, vetted users only — treat model uploads as code deployments requiring review.

  3. Audit: Scan the model registry for pmdarima models uploaded by unverified or external accounts, especially artifacts loaded by automated pipelines.

  4. Detection: Log and alert on all model load events for pmdarima format; inspect pickle payloads where tooling permits.

  5. Network isolation: Avoid exposing MLflow instances publicly; enforce strong authentication on all endpoints.

  6. Compensating control: Block or sandbox pmdarima model load operations until patching is complete.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Model AML.T0010.003 AML.T0011.000 AML.T0018.002 AML.T0049 AML.T0058

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI supply chain security A.9.3 - AI system security
NIST AI RMF
GOVERN 1.1 - Policies for AI risk management MANAGE 2.2 - Mechanisms to respond to and recover from AI risks
OWASP LLM Top 10
LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2024-37055?

Any MLflow deployment on v1.24.0+ is vulnerable to RCE if untrusted users can upload models. An attacker uploads a crafted pmdarima model; any user who loads it executes attacker-controlled code on their system. Patch immediately, restrict model upload permissions to verified users only, and audit your model registry for suspicious pmdarima artifacts.

Is CVE-2024-37055 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37055, increasing the risk of exploitation.

How to fix CVE-2024-37055?

1. Patch: Upgrade MLflow to the latest version addressing this advisory per HiddenLayer's guidance. 2. Access control: Restrict model upload permissions to authenticated, vetted users only — treat model uploads as code deployments requiring review. 3. Audit: Scan the model registry for pmdarima models uploaded by unverified or external accounts, especially artifacts loaded by automated pipelines. 4. Detection: Log and alert on all model load events for pmdarima format; inspect pickle payloads where tooling permits. 5. Network isolation: Avoid exposing MLflow instances publicly; enforce strong authentication on all endpoints. 6. Compensating control: Block or sandbox pmdarima model load operations until patching is complete.

What systems are affected by CVE-2024-37055?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, training pipelines, CI/CD ML pipelines, model serving.

What is the CVSS score for CVE-2024-37055?

CVE-2024-37055 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.62%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registriestraining pipelinesCI/CD ML pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0010.003 Model
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application
AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5, A.9.3
NIST AI RMF: GOVERN 1.1, MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

An adversary targets an organization using MLflow for experiment tracking. They obtain upload credentials via phishing or discover an unauthenticated MLflow instance exposed to the internet. They craft a pmdarima model file containing a malicious Python pickle payload — a reverse shell or credential harvester — and upload it to the shared model registry under a plausible experiment name. When a data scientist or automated CI/CD pipeline loads the model for evaluation or serving, the payload executes with the privileges of the loading process. The attacker pivots to training infrastructure, exfiltrates proprietary model weights, or implants persistent backdoors in the ML pipeline.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 4, 2024
Last Modified
February 3, 2025
First Seen
June 4, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed