CVE-2024-37060 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

MLflow Recipes (v1.27.0+) deserialize untrusted data without validation, enabling arbitrary code execution when a data scientist runs a crafted recipe file. Any ML team sharing or consuming MLflow recipes — from public repos, teammates, or vendors — is exposed. Patch MLflow immediately and audit recipe sources; treat untrusted recipe files like executable code.

Risk Assessment

CVSS 8.8 with network vector and low complexity makes this high-severity in practice. The user-interaction requirement is a weak barrier in ML workflows where sharing recipe configs is routine and trust is implicit. MLflow's broad adoption across model training, experiment tracking, and CI/CD pipelines dramatically expands the blast radius. No privileges required means any external collaborator or compromised repository can be the delivery vector.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 59% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade MLflow to the latest patched version per the HiddenLayer advisory (https://hiddenlayer.com/sai-security-advisory/mlflow-june2024).
AUDIT

Inventory all recipe files in use — treat them as untrusted code if sourced externally.
RESTRICT

Disable MLflow Recipes feature if not actively used via configuration controls.
ISOLATE

Run MLflow pipelines in sandboxed environments (containers with no credential access, network egress controls).
DETECT

Monitor for unexpected process spawning from MLflow processes; alert on outbound connections from pipeline runners.
SUPPLY CHAIN

Lock recipe sources to internal, version-controlled repositories with code review gates.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment 8.2 - AI system risk management

NIST AI RMF

GOVERN 1.2 - Accountability for AI risk MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-37060?

MLflow Recipes (v1.27.0+) deserialize untrusted data without validation, enabling arbitrary code execution when a data scientist runs a crafted recipe file. Any ML team sharing or consuming MLflow recipes — from public repos, teammates, or vendors — is exposed. Patch MLflow immediately and audit recipe sources; treat untrusted recipe files like executable code.

Is CVE-2024-37060 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-37060, increasing the risk of exploitation.

How to fix CVE-2024-37060?

1. PATCH: Upgrade MLflow to the latest patched version per the HiddenLayer advisory (https://hiddenlayer.com/sai-security-advisory/mlflow-june2024). 2. AUDIT: Inventory all recipe files in use — treat them as untrusted code if sourced externally. 3. RESTRICT: Disable MLflow Recipes feature if not actively used via configuration controls. 4. ISOLATE: Run MLflow pipelines in sandboxed environments (containers with no credential access, network egress controls). 5. DETECT: Monitor for unexpected process spawning from MLflow processes; alert on outbound connections from pipeline runners. 6. SUPPLY CHAIN: Lock recipe sources to internal, version-controlled repositories with code review gates.

What systems are affected by CVE-2024-37060?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, mlops platforms, model development environments, CI/CD for ML, experiment tracking infrastructure.

What is the CVSS score for CVE-2024-37060?

CVE-2024-37060 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.38%.

Technical Details

NVD Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.27.0 or newer, enabling a maliciously crafted Recipe to execute arbitrary code on an end user’s system when run.

Exploitation Scenario

An adversary publishes a malicious MLflow recipe template to a public GitHub repository or compromises a popular template repo. The recipe YAML embeds a serialized Python object containing a reverse shell payload. A data scientist discovers the template, clones it, and executes `mlflow recipes run` as part of standard workflow. During recipe loading, MLflow deserializes the untrusted object, triggering execution of the embedded payload — establishing persistence, exfiltrating AWS/GCP credentials from environment variables, and potentially poisoning local model artifacts before the user notices anything unusual.