PyPI: mlflow
CVE-2024-37054
Safety vulnerability ID: SFTY-20240604-57877
Safety legacy ID: pyup.io-71587
Deserialization of untrusted data can occur in affected versions of the MLflow platform, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
Overview
MLFlow unsafe deserialization
Advisory
Deserialization of untrusted data can occur in affected versions of the MLflow platform, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.
How to Fix
Upgrade
mlflow
to0.0.1
or higher.Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240604-57877/CVE-2024-37054
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37054
- https://github.com/advisories/GHSA-ghv6-9r9j-wh4j
- https://github.com/mlflow/mlflow/blob/db9143d1db19468fa7a6484f80c409ff003de7d9/mlflow/pyfunc/model.py#L495-#L533
- https://nvd.nist.gov/vuln/detail/CVE-2024-37054
- https://hiddenlayer.com/sai-security-advisory/mlflow-june2024
- https://github.com/advisories/GHSA-ghv6-9r9j-wh4j
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more