Description
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
Published: 2024-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2024-2191 MLFlow unsafe deserialization
Github GHSA Github GHSA GHSA-wf7f-8fxf-xfxc MLFlow unsafe deserialization
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00402}

 epss

{'score': 0.00383}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00216}

 epss

{'score': 0.00402}

Mon, 03 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow

Subscriptions

Lfprojects Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2024-08-02T03:43:50.934Z

Reserved: 2024-05-31T14:16:48.807Z

Link: CVE-2024-37059

cve-icon Vulnrichment

Updated: 2024-08-02T03:43:50.934Z

cve-icon NVD

Status : Analyzed

Published: 2024-06-04T12:15:12.227

Modified: 2025-02-03T14:46:23.250

Link: CVE-2024-37059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses