CVE-2024-37058: MLflow RCE — HIGH

CISO Take

Any MLflow deployment running 2.5.0+ that allows external or untrusted model uploads is exposed to arbitrary code execution — simply loading a poisoned LangChain AgentExecutor model triggers it. This is a critical risk for shared MLflow model registries where data scientists or automated pipelines pull and run models without verifying provenance. Patch immediately, audit your registry for unknown model uploads, and enforce strict write-access controls on your model store.

What is the risk?

High risk in practice despite requiring user interaction — in MLOps pipelines 'user interaction' is frequently automated (CI/CD jobs, scheduled inference, auto-loading from registry). CVSS 8.8 with network vector and low complexity means exploitation is straightforward for anyone who can push a model to the registry. Shared MLflow instances in data science teams compound the blast radius: a single malicious upload can compromise every machine that subsequently loads it. No active KEV listing but the HiddenLayer advisory includes exploit details, lowering attacker skill threshold significantly.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

0.6%

chance of exploitation in 30 days

Higher than 45% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

PATCH

Upgrade MLflow to the version that addresses this deserialization flaw (verify against the HiddenLayer advisory for exact patched version).
AUDIT

Review MLflow model registry for any recently uploaded LangChain AgentExecutor models from unexpected sources — treat unknown uploads as potentially malicious.
ACCESS CONTROL

Restrict model upload permissions to a minimal set of CI/CD service accounts; require code review or approval workflow before models enter the registry.
SCAN

Run static analysis on model pickle/joblib files before loading (tools: modelscan by ProtectAI).
NETWORK ISOLATION

Ensure MLflow UI/API is not internet-facing; place behind VPN or internal network only.
DETECTION

Monitor for unexpected process spawning from Python/MLflow processes; alert on outbound connections initiated by model-loading jobs.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain Code Execution Framework Model Agent AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application AML.T0058 - Publish Poisoned Models

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.4 - AI System Supply Chain

NIST AI RMF

GOVERN 6.1 - AI Risk in Third-Party Entities MANAGE 2.2 - Risk Treatments and Mitigations

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37058?

Any MLflow deployment running 2.5.0+ that allows external or untrusted model uploads is exposed to arbitrary code execution — simply loading a poisoned LangChain AgentExecutor model triggers it. This is a critical risk for shared MLflow model registries where data scientists or automated pipelines pull and run models without verifying provenance. Patch immediately, audit your registry for unknown model uploads, and enforce strict write-access controls on your model store.

Is CVE-2024-37058 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37058, increasing the risk of exploitation.

How to fix CVE-2024-37058?

1. PATCH: Upgrade MLflow to the version that addresses this deserialization flaw (verify against the HiddenLayer advisory for exact patched version). 2. AUDIT: Review MLflow model registry for any recently uploaded LangChain AgentExecutor models from unexpected sources — treat unknown uploads as potentially malicious. 3. ACCESS CONTROL: Restrict model upload permissions to a minimal set of CI/CD service accounts; require code review or approval workflow before models enter the registry. 4. SCAN: Run static analysis on model pickle/joblib files before loading (tools: modelscan by ProtectAI). 5. NETWORK ISOLATION: Ensure MLflow UI/API is not internet-facing; place behind VPN or internal network only. 6. DETECTION: Monitor for unexpected process spawning from Python/MLflow processes; alert on outbound connections initiated by model-loading jobs.

What systems are affected by CVE-2024-37058?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model registry, agent frameworks, model serving, training pipelines.

What is the CVSS score for CVE-2024-37058?

CVE-2024-37058 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.62%.

What is the AI security impact?

Affected AI Architectures

MLOps pipelinesmodel registryagent frameworksmodel servingtraining pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

AML.T0058 Publish Poisoned Models

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.

Exploitation Scenario

An adversary with write access to a target organization's MLflow model registry — obtained via compromised credentials, insider threat, or a publicly exposed registry — crafts a malicious LangChain AgentExecutor model. The payload is embedded using Python's pickle serialization, which executes arbitrary code during deserialization. The attacker uploads it with a benign name (e.g., 'langchain-rag-agent-v2') and waits. A data scientist runs a model comparison notebook pulling candidates from the registry, or an automated evaluation pipeline loads the model for benchmarking. Upon load, the payload executes: reverse shell established, cloud credentials exfiltrated from environment variables, and lateral movement begins to connected data stores and GPU clusters. The attacker never needed to touch the victim's network directly — the supply chain did the work.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

[Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
[Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.