CVE-2024-37057 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any MLflow deployment running ≥2.0.0rc0 is vulnerable to arbitrary code execution the moment a user loads a maliciously uploaded TensorFlow model — a routine action in every ML workflow. This is a supply chain attack: one compromised upload in a shared model registry can pivot to every data scientist workstation and CI/CD runner that pulls that model. Patch immediately, restrict model upload permissions, and audit your registry for untrusted artifacts.

Risk Assessment

HIGH. CVSS 8.8 understates operational risk in ML environments — loading models from a shared registry is reflexive behavior, not a suspicious action, so users have zero threat awareness. Exploitation requires no special privileges in many default MLflow configurations (unauthenticated upload possible), and the attacker only needs one person to interact with the model. Blast radius includes developer workstations, automated retraining pipelines, and inference infrastructure. The low attack complexity and wide deployment of MLflow in enterprise ML stacks make this a high-priority remediation target.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 63% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade MLflow immediately — consult the HiddenLayer advisory for the minimum safe version.
ACCESS CONTROL

Treat model registry write access like code repository write access — require authentication, MFA, and role-based permissions for model uploads.
AUDIT

Review all TensorFlow models uploaded post-2024-01-01 for unexpected files, Lambda layers, or custom ops in SavedModel directories.
SANDBOX

Load models in isolated containers or VMs with no outbound network access and read-only filesystem mounts for all automated pipeline jobs.
SIGN AND VERIFY

Implement model artifact signing (e.g., Sigstore/cosign) and verify checksums before loading in any pipeline.
DETECT

Alert on process spawning (shells, curl, wget, netcat) or outbound network connections originating from model loading processes.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system

ISO 42001

A.10.1 - Third-party and supply chain AI risk A.6.1.5 - AI system security controls

NIST AI RMF

GOVERN-6.1 - AI supply chain risk policies MANAGE-2.2 - AI risk treatment mechanisms

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37057?

Any MLflow deployment running ≥2.0.0rc0 is vulnerable to arbitrary code execution the moment a user loads a maliciously uploaded TensorFlow model — a routine action in every ML workflow. This is a supply chain attack: one compromised upload in a shared model registry can pivot to every data scientist workstation and CI/CD runner that pulls that model. Patch immediately, restrict model upload permissions, and audit your registry for untrusted artifacts.

Is CVE-2024-37057 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37057, increasing the risk of exploitation.

How to fix CVE-2024-37057?

1. PATCH: Upgrade MLflow immediately — consult the HiddenLayer advisory for the minimum safe version. 2. ACCESS CONTROL: Treat model registry write access like code repository write access — require authentication, MFA, and role-based permissions for model uploads. 3. AUDIT: Review all TensorFlow models uploaded post-2024-01-01 for unexpected files, Lambda layers, or custom ops in SavedModel directories. 4. SANDBOX: Load models in isolated containers or VMs with no outbound network access and read-only filesystem mounts for all automated pipeline jobs. 5. SIGN AND VERIFY: Implement model artifact signing (e.g., Sigstore/cosign) and verify checksums before loading in any pipeline. 6. DETECT: Alert on process spawning (shells, curl, wget, netcat) or outbound network connections originating from model loading processes.

What systems are affected by CVE-2024-37057?

This vulnerability affects the following AI/ML architecture patterns: model registry, training pipelines, model serving, MLOps platforms, model evaluation pipelines.

What is the CVSS score for CVE-2024-37057?

CVE-2024-37057 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.44%.

Technical Details

NVD Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.0.0rc0 or newer, enabling a maliciously uploaded Tensorflow model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

Adversary obtains write access to a shared MLflow instance — either via compromised contributor credentials, an exposed unauthenticated MLflow UI, or a malicious insider. They craft a TensorFlow SavedModel containing a malicious custom layer or serialized Python object that executes a reverse shell payload during model load. The model is published under a plausible name (e.g., 'gpt2-finetuned-internal-v3') with a slightly higher version number than the current production model. An automated retraining pipeline or a data scientist conducting model comparison pulls and loads the artifact — triggering execution. The attacker gains foothold on the runner or workstation, exfiltrates cloud provider credentials, training data, and proprietary model weights, then pivots laterally into the MLOps infrastructure.