CVE-2024-37058 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any MLflow deployment running 2.5.0+ that allows external or untrusted model uploads is exposed to arbitrary code execution — simply loading a poisoned LangChain AgentExecutor model triggers it. This is a critical risk for shared MLflow model registries where data scientists or automated pipelines pull and run models without verifying provenance. Patch immediately, audit your registry for unknown model uploads, and enforce strict write-access controls on your model store.

Risk Assessment

High risk in practice despite requiring user interaction — in MLOps pipelines 'user interaction' is frequently automated (CI/CD jobs, scheduled inference, auto-loading from registry). CVSS 8.8 with network vector and low complexity means exploitation is straightforward for anyone who can push a model to the registry. Shared MLflow instances in data science teams compound the blast radius: a single malicious upload can compromise every machine that subsequently loads it. No active KEV listing but the HiddenLayer advisory includes exploit details, lowering attacker skill threshold significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 61% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade MLflow to the version that addresses this deserialization flaw (verify against the HiddenLayer advisory for exact patched version).
AUDIT

Review MLflow model registry for any recently uploaded LangChain AgentExecutor models from unexpected sources — treat unknown uploads as potentially malicious.
ACCESS CONTROL

Restrict model upload permissions to a minimal set of CI/CD service accounts; require code review or approval workflow before models enter the registry.
SCAN

Run static analysis on model pickle/joblib files before loading (tools: modelscan by ProtectAI).
NETWORK ISOLATION

Ensure MLflow UI/API is not internet-facing; place behind VPN or internal network only.
DETECTION

Monitor for unexpected process spawning from Python/MLflow processes; alert on outbound connections initiated by model-loading jobs.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain Code Execution Framework Model Agent AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.4 - AI System Supply Chain

NIST AI RMF

GOVERN 6.1 - AI Risk in Third-Party Entities MANAGE 2.2 - Risk Treatments and Mitigations

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37058?

Any MLflow deployment running 2.5.0+ that allows external or untrusted model uploads is exposed to arbitrary code execution — simply loading a poisoned LangChain AgentExecutor model triggers it. This is a critical risk for shared MLflow model registries where data scientists or automated pipelines pull and run models without verifying provenance. Patch immediately, audit your registry for unknown model uploads, and enforce strict write-access controls on your model store.

Is CVE-2024-37058 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37058, increasing the risk of exploitation.

How to fix CVE-2024-37058?

1. PATCH: Upgrade MLflow to the version that addresses this deserialization flaw (verify against the HiddenLayer advisory for exact patched version). 2. AUDIT: Review MLflow model registry for any recently uploaded LangChain AgentExecutor models from unexpected sources — treat unknown uploads as potentially malicious. 3. ACCESS CONTROL: Restrict model upload permissions to a minimal set of CI/CD service accounts; require code review or approval workflow before models enter the registry. 4. SCAN: Run static analysis on model pickle/joblib files before loading (tools: modelscan by ProtectAI). 5. NETWORK ISOLATION: Ensure MLflow UI/API is not internet-facing; place behind VPN or internal network only. 6. DETECTION: Monitor for unexpected process spawning from Python/MLflow processes; alert on outbound connections initiated by model-loading jobs.

What systems are affected by CVE-2024-37058?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model registry, agent frameworks, model serving, training pipelines.

What is the CVSS score for CVE-2024-37058?

CVE-2024-37058 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.40%.

Technical Details

NVD Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

An adversary with write access to a target organization's MLflow model registry — obtained via compromised credentials, insider threat, or a publicly exposed registry — crafts a malicious LangChain AgentExecutor model. The payload is embedded using Python's pickle serialization, which executes arbitrary code during deserialization. The attacker uploads it with a benign name (e.g., 'langchain-rag-agent-v2') and waits. A data scientist runs a model comparison notebook pulling candidates from the registry, or an automated evaluation pipeline loads the model for benchmarking. Upon load, the payload executes: reverse shell established, cloud credentials exfiltrated from environment variables, and lateral movement begins to connected data stores and GPU clusters. The attacker never needed to touch the victim's network directly — the supply chain did the work.