AI Threat Alert

CVE-2024-37060: MLflow: RCE via deserialization in crafted Recipes

HIGH PoC AVAILABLE
Published June 4, 2024
CISO Take

MLflow Recipes (v1.27.0+) deserialize untrusted data without validation, enabling arbitrary code execution when a data scientist runs a crafted recipe file. Any ML team sharing or consuming MLflow recipes — from public repos, teammates, or vendors — is exposed. Patch MLflow immediately and audit recipe sources; treat untrusted recipe files like executable code.

What is the risk?

CVSS 8.8 with network vector and low complexity makes this high-severity in practice. The user-interaction requirement is a weak barrier in ML workflows where sharing recipe configs is routine and trust is implicit. MLflow's broad adoption across model training, experiment tracking, and CI/CD pipelines dramatically expands the blast radius. No privileges required means any external collaborator or compromised repository can be the delivery vector.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
MLflow pip No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

Do you use MLflow? You're affected.

How severe is it?

CVSS 3.1
8.8 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 51% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. PATCH

    Upgrade MLflow to the latest patched version per the HiddenLayer advisory (https://hiddenlayer.com/sai-security-advisory/mlflow-june2024).

  2. AUDIT

    Inventory all recipe files in use — treat them as untrusted code if sourced externally.

  3. RESTRICT

    Disable MLflow Recipes feature if not actively used via configuration controls.

  4. ISOLATE

    Run MLflow pipelines in sandboxed environments (containers with no credential access, network egress controls).

  5. DETECT

    Monitor for unexpected process spawning from MLflow processes; alert on outbound connections from pipeline runners.

  6. SUPPLY CHAIN

    Lock recipe sources to internal, version-controlled repositories with code review gates.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0011 AML.T0011.000 AML.T0018.002 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
6.1.2 - AI risk assessment 8.2 - AI system risk management
NIST AI RMF
GOVERN 1.2 - Accountability for AI risk MANAGE 2.4 - Residual risks are managed
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37060?

MLflow Recipes (v1.27.0+) deserialize untrusted data without validation, enabling arbitrary code execution when a data scientist runs a crafted recipe file. Any ML team sharing or consuming MLflow recipes — from public repos, teammates, or vendors — is exposed. Patch MLflow immediately and audit recipe sources; treat untrusted recipe files like executable code.

Is CVE-2024-37060 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37060, increasing the risk of exploitation.

How to fix CVE-2024-37060?

1. PATCH: Upgrade MLflow to the latest patched version per the HiddenLayer advisory (https://hiddenlayer.com/sai-security-advisory/mlflow-june2024). 2. AUDIT: Inventory all recipe files in use — treat them as untrusted code if sourced externally. 3. RESTRICT: Disable MLflow Recipes feature if not actively used via configuration controls. 4. ISOLATE: Run MLflow pipelines in sandboxed environments (containers with no credential access, network egress controls). 5. DETECT: Monitor for unexpected process spawning from MLflow processes; alert on outbound connections from pipeline runners. 6. SUPPLY CHAIN: Lock recipe sources to internal, version-controlled repositories with code review gates.

What systems are affected by CVE-2024-37060?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, mlops platforms, model development environments, CI/CD for ML, experiment tracking infrastructure.

What is the CVSS score for CVE-2024-37060?

CVE-2024-37060 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.77%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmlops platformsmodel development environmentsCI/CD for MLexperiment tracking infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011 User Execution
AML.T0011.000 Unsafe AI Artifacts
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: 6.1.2, 8.2
NIST AI RMF: GOVERN 1.2, MANAGE 2.4
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.

Exploitation Scenario

An adversary publishes a malicious MLflow recipe template to a public GitHub repository or compromises a popular template repo. The recipe YAML embeds a serialized Python object containing a reverse shell payload. A data scientist discovers the template, clones it, and executes `mlflow recipes run` as part of standard workflow. During recipe loading, MLflow deserializes the untrusted object, triggering execution of the embedded payload — establishing persistence, exfiltrating AWS/GCP credentials from environment variables, and potentially poisoning local model artifacts before the user notices anything unusual.

Weaknesses (CWE)

CWE-502 Deserialization of Untrusted Data Primary CWE-502 Deserialization of Untrusted Data

CWE-502 — Deserialization of Untrusted Data: The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

  • [Architecture and Design, Implementation] If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. For example, a hash-based message authentication code (HMAC) could be used to ensure that data has not been modified.
  • [Implementation] When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 4, 2024
Last Modified
February 3, 2025
First Seen
June 4, 2024

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed