CVE-2024-37061
Remote Code Execution vulnerability in mlflow (PyPI)

Remote Code Execution No known exploit

What is CVE-2024-37061 About?

This vulnerability in MLflow versions 1.11.0 or newer allows for arbitrary code execution. It occurs when a maliciously crafted MLproject is run due to unfiltered input. This can lead to system compromise and data theft, and is relatively easy to exploit by providing a malicious project.

Affected Software

mlflow >1.11.0, <=2.13.1

Technical Details

The vulnerability stems from insufficient input sanitization when processing MLprojects in MLflow platform versions 1.11.0 or newer. A malicious actor can craft an MLproject that contains arbitrary code within its configuration or scripts. When this specially crafted MLproject is executed by an end user, the unfiltered input is processed by the underlying system, leading to the execution of the attacker's code. This allows an attacker to achieve Remote Code Execution (RCE) on the system where the MLproject is run.

What is the Impact of CVE-2024-37061?

Successful exploitation may allow attackers to execute arbitrary code on the affected system, potentially leading to full system compromise, data manipulation, theft, or further network penetration.

What is the Exploitability of CVE-2024-37061?

Exploitation requires medium complexity, as it involves crafting a malicious MLproject. No authentication is explicitly stated as required, and the vulnerability exploits the execution flow of MLprojects. Privilege requirements depend on the context in which the MLproject is executed. It is a remote vulnerability, as the attacker delivers the malicious MLproject to the end user's system. The primary prerequisites are that the target is running an affected MLflow version and executes untrusted MLprojects. A high-risk factor is the common practice of sharing and running MLprojects from various sources without strict validation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-37061?

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-37061?

Similar Vulnerabilities: CVE-2023-38408 , CVE-2022-32548 , CVE-2021-44228 , CVE-2020-8843 , CVE-2019-10172

All Rights reserved 2025
Privacy Policy