CVE-2024-37055 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any MLflow deployment on v1.24.0+ is vulnerable to RCE if untrusted users can upload models. An attacker uploads a crafted pmdarima model; any user who loads it executes attacker-controlled code on their system. Patch immediately, restrict model upload permissions to verified users only, and audit your model registry for suspicious pmdarima artifacts.

Risk Assessment

High risk for shared MLflow deployments. CVSS 8.8 with low attack complexity means exploitation is straightforward once model upload access is obtained. The User Interaction requirement is easily met in MLOps workflows where engineers routinely load models from shared registries. Organizations with open model registries, collaborative ML environments, or CI/CD pipelines that auto-evaluate models face the highest exposure. No privileges required to stage the attack reduces the barrier significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 63% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch: Upgrade MLflow to the latest version addressing this advisory per HiddenLayer's guidance.
Access control: Restrict model upload permissions to authenticated, vetted users only — treat model uploads as code deployments requiring review.
Audit: Scan the model registry for pmdarima models uploaded by unverified or external accounts, especially artifacts loaded by automated pipelines.
Detection: Log and alert on all model load events for pmdarima format; inspect pickle payloads where tooling permits.
Network isolation: Avoid exposing MLflow instances publicly; enforce strong authentication on all endpoints.
Compensating control: Block or sandbox pmdarima model load operations until patching is complete.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI supply chain security A.9.3 - AI system security

NIST AI RMF

GOVERN 1.1 - Policies for AI risk management MANAGE 2.2 - Mechanisms to respond to and recover from AI risks

OWASP LLM Top 10

LLM03 - Supply Chain

Frequently Asked Questions

What is CVE-2024-37055?

Any MLflow deployment on v1.24.0+ is vulnerable to RCE if untrusted users can upload models. An attacker uploads a crafted pmdarima model; any user who loads it executes attacker-controlled code on their system. Patch immediately, restrict model upload permissions to verified users only, and audit your model registry for suspicious pmdarima artifacts.

Is CVE-2024-37055 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37055, increasing the risk of exploitation.

How to fix CVE-2024-37055?

1. Patch: Upgrade MLflow to the latest version addressing this advisory per HiddenLayer's guidance. 2. Access control: Restrict model upload permissions to authenticated, vetted users only — treat model uploads as code deployments requiring review. 3. Audit: Scan the model registry for pmdarima models uploaded by unverified or external accounts, especially artifacts loaded by automated pipelines. 4. Detection: Log and alert on all model load events for pmdarima format; inspect pickle payloads where tooling permits. 5. Network isolation: Avoid exposing MLflow instances publicly; enforce strong authentication on all endpoints. 6. Compensating control: Block or sandbox pmdarima model load operations until patching is complete.

What systems are affected by CVE-2024-37055?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registries, training pipelines, CI/CD ML pipelines, model serving.

What is the CVSS score for CVE-2024-37055?

CVE-2024-37055 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.44%.

Technical Details

NVD Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling a maliciously uploaded pmdarima model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

An adversary targets an organization using MLflow for experiment tracking. They obtain upload credentials via phishing or discover an unauthenticated MLflow instance exposed to the internet. They craft a pmdarima model file containing a malicious Python pickle payload — a reverse shell or credential harvester — and upload it to the shared model registry under a plausible experiment name. When a data scientist or automated CI/CD pipeline loads the model for evaluation or serving, the payload executes with the privileges of the loading process. The attacker pivots to training infrastructure, exfiltrates proprietary model weights, or implants persistent backdoors in the ML pipeline.