CVE-2024-37059 HIGH

CVE-2024-37059

Vendor Mlflow

Product MLflow

Weakness CWE-502 · Unsafe deserialization

Published June 4, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling a maliciously uploaded PyTorch model to run arbitrary code on an end user’s system when interacted with.

Key dates

02Disclosure timeline

June 4, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-37059 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities

04Related CVE

CVE-2025-54897 Microsoft SharePoint Remote Code Execution Vulnerability CVE-2026-34615 Adobe Connect | Deserialization of Untrusted Data (CWE-502) CVE-2025-69405 WordPress Lorem Ipsum | Books & Media Store theme <= 1.2.11 - PHP Object Injection vulnerability CVE-2025-32571 WordPress TuriTop Booking System Plugin <= 1.0.10 - PHP Object Injection vulnerability CVE-2023-27459 WordPress User Registration plugin <= 2.3.2.1 - Authenticated PHP Object Injection vulnerability