CVE-2024-37056 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any MLflow deployment (v1.23.0+) where users can upload or interact with externally sourced models is exposed to remote code execution. An attacker needs only to upload a malicious LightGBM scikit-learn model—no credentials required—and wait for a data scientist to load it. Upgrade to a patched MLflow release immediately and restrict model registry write access to trusted, authenticated users only.

Risk Assessment

High risk for organizations running shared or collaborative ML platforms. CVSS 8.8 with low complexity and no privilege requirement makes exploitation straightforward—'user interaction' here means a data scientist routinely opening or loading a model, which is normal workflow behavior. The attack surface expands significantly in multi-tenant or externally accessible MLflow instances, and the lack of CISA KEV listing does not diminish real-world risk given the ease of exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 61% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

7 steps

Upgrade MLflow to the latest patched release immediately.
Restrict model upload permissions to authenticated, trusted users only—disable anonymous or open model registry access.
Implement model provenance controls: require signed models or enforce format allowlists.
Scan model files for unsafe serialization formats (pickle, joblib) before they enter the registry using tools like ModelScan.
Audit existing model registry contents for unexpected LightGBM scikit-learn models from unfamiliar accounts.
Deploy network monitoring on MLflow workers to detect anomalous outbound connections as a post-exploitation indicator.
If immediate patching is not possible, air-gap the model registry from untrusted external upload sources.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - AI supply chain security

NIST AI RMF

MANAGE 2.2 - Mechanisms for response and recovery

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2024-37056?

Any MLflow deployment (v1.23.0+) where users can upload or interact with externally sourced models is exposed to remote code execution. An attacker needs only to upload a malicious LightGBM scikit-learn model—no credentials required—and wait for a data scientist to load it. Upgrade to a patched MLflow release immediately and restrict model registry write access to trusted, authenticated users only.

Is CVE-2024-37056 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37056, increasing the risk of exploitation.

How to fix CVE-2024-37056?

1. Upgrade MLflow to the latest patched release immediately. 2. Restrict model upload permissions to authenticated, trusted users only—disable anonymous or open model registry access. 3. Implement model provenance controls: require signed models or enforce format allowlists. 4. Scan model files for unsafe serialization formats (pickle, joblib) before they enter the registry using tools like ModelScan. 5. Audit existing model registry contents for unexpected LightGBM scikit-learn models from unfamiliar accounts. 6. Deploy network monitoring on MLflow workers to detect anomalous outbound connections as a post-exploitation indicator. 7. If immediate patching is not possible, air-gap the model registry from untrusted external upload sources.

What systems are affected by CVE-2024-37056?

This vulnerability affects the following AI/ML architecture patterns: model registry, MLOps platforms, training pipelines, model serving, experiment tracking.

What is the CVSS score for CVE-2024-37056?

CVE-2024-37056 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.40%.

Technical Details

NVD Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.23.0 or newer, enabling a maliciously uploaded LightGBM scikit-learn model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

An adversary identifies a target organization's shared or publicly accessible MLflow instance. They register an account (or leverage a compromised one) and upload a crafted LightGBM scikit-learn model containing a malicious Python pickle payload embedded in the serialized artifact. When a data scientist browses the model registry and clicks 'load model' or references it in an experiment run, Python's deserialization triggers the payload—granting the attacker immediate code execution on the victim's machine. From there they can exfiltrate API keys, cloud credentials, or model weights, or establish persistence within the ML infrastructure.