Description
Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.
Published: 2024-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

No analysis available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2024-2191 MLFlow unsafe deserialization
Github GHSA Github GHSA GHSA-wf7f-8fxf-xfxc MLFlow unsafe deserialization
History

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00402}

 epss

{'score': 0.00383}

Sun, 13 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00216}

 epss

{'score': 0.00402}

Mon, 03 Feb 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Lfprojects
Lfprojects mlflow
CPEs cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*
Vendors & Products Lfprojects
Lfprojects mlflow

Subscriptions

Lfprojects Mlflow
cve-icon MITRE

Status: PUBLISHED

Assigner: HiddenLayer

Published:

Updated: 2024-08-02T03:43:50.934Z

Reserved: 2024-05-31T14:16:48.807Z

Link: CVE-2024-37059

cve-icon Vulnrichment

Updated: 2024-08-02T03:43:50.934Z

cve-icon NVD

Status : Analyzed

Published: 2024-06-04T12:15:12.227

Modified: 2025-02-03T14:46:23.250

Link: CVE-2024-37059

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses