CVE-2024-37060
Deserialization of untrusted data vulnerability in mlflow (PyPI)

Deserialization of untrusted data No known exploit

What is CVE-2024-37060 About?

This vulnerability involves the deserialization of untrusted data within the MLflow platform, which can lead to remote code execution. A maliciously crafted Recipe, when executed by an end user, can trigger the arbitrary code execution. Exploitation requires user interaction but can be relatively easy to achieve once the malicious Recipe is introduced.

Affected Software

mlflow >1.27.0, <=2.14.1

Technical Details

The vulnerability stems from the MLflow platform's handling of deserialization, specifically in versions 1.27.0 and newer. An attacker can craft a malicious 'Recipe' which contains untrusted serialized data. When an end user runs this crafted Recipe, the platform attempts to deserialize the untrusted data without sufficient validation or sanitization. This lack of proper handling during deserialization allows the attacker's embedded arbitrary code to be executed on the end user's system, effectively compromising the system.

What is the Impact of CVE-2024-37060?

Successful exploitation may allow attackers to execute arbitrary code on the affected system, leading to full system compromise, data theft, or further network penetration.

What is the Exploitability of CVE-2024-37060?

Exploitation of this vulnerability requires user interaction, specifically an end-user running a maliciously crafted MLflow Recipe. The attacker needs to deliver the malicious Recipe to the victim, which could involve social engineering or compromising a trusted source. No authentication is explicitly mentioned as required for the execution of the Recipe itself, but the context implies an authenticated user runs it. The vulnerability is remote as the crafted Recipe can be shared and executed across different systems. The complexity is moderate, as it requires crafting the specific Recipe and ensuring user execution. The risk is increased if MLflow users frequently exchange or download Recipes from untrusted sources.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-37060?

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-37060?

Similar Vulnerabilities: CVE-2023-51460 , CVE-2023-38545 , CVE-2023-28169 , CVE-2023-21966 , CVE-2021-44228

All Rights reserved 2025
Privacy Policy