BIT-mlflow-2024-37057
Deserialization of Untrusted Data vulnerability in mlflow (PyPI)

Deserialization of Untrusted Data No known exploit

What is BIT-mlflow-2024-37057 About?

MLflow platform versions 2.0.0rc0 or newer are vulnerable to deserialization of untrusted data, allowing arbitrary code execution. This occurs when a maliciously uploaded Tensorflow model is interacted with, enabling an attacker to run code on an end user's system. Exploitation requires uploading a specially crafted model and subsequent user interaction.

Affected Software

mlflow >2.0.0rc0, <=2.14.1

Technical Details

This vulnerability is an instance of 'Deserialization of Untrusted Data' within MLflow for versions 2.0.0rc0 and newer, specifically impacting Tensorflow models. MLflow's model serving or interaction mechanism allows the deserialization of model payloads. An attacker can create a Tensorflow model that contains malicious serialized objects or code within its structure. When this crafted model is uploaded to the MLflow platform and subsequently loaded or executed by an end user (e.g., for inference, visualization, or further processing), the deserialization process will reconstruct the attacker's embedded code. This leads to the execution of arbitrary code on the system where the model is being loaded or run, often with the privileges of the MLflow server or the user interacting with the model.

What is the Impact of BIT-mlflow-2024-37057?

Successful exploitation may allow attackers to execute arbitrary code on the end user's or server's system with the privileges of the process interacting with the model, leading to system compromise, data exfiltration, or denial of service.

What is the Exploitability of BIT-mlflow-2024-37057?

Exploitation of this vulnerability is of moderate complexity. It requires an attacker to first upload a specially crafted Tensorflow model containing a malicious payload to the MLflow platform. This implies either having legitimate credentials to upload models, or exploiting another vulnerability to gain upload access. Subsequently, an end user must interact with this malicious model for the deserialization and code execution to occur. This can be a remote or local attack, depending on how the MLflow instance is accessed and how models are interacted with. Authentication is required for model upload, but subsequent interaction might not be. Privilege requirements depend on the execution context of the deserialization. Risk factors include MLflow instances exposed to untrusted model uploads or with insufficient validation of model artifacts before rendering or execution.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for BIT-mlflow-2024-37057?

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to BIT-mlflow-2024-37057?

Similar Vulnerabilities: CVE-2024-37056 , CVE-2023-28434 , CVE-2022-25648 , CVE-2021-39145 , CVE-2020-14287

All Rights reserved 2025
Privacy Policy