CVE-2024-37056 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2024-37056?

CVE-2024-37056 has a CVSS score of 8.8 (HIGH). This vulnerability allows remote code execution through malicious ML models in MLflow. Attackers can upload specially crafted LightGBM scikit-learn models that execute arbitrary code when loaded. Organizations using MLflow 1.23.0 or newer for model management are affected.

📋 TL;DR

This vulnerability allows remote code execution through malicious ML models in MLflow. Attackers can upload specially crafted LightGBM scikit-learn models that execute arbitrary code when loaded. Organizations using MLflow 1.23.0 or newer for model management are affected.

💻 Affected Systems

Products:

MLflow

Versions: 1.23.0 and newer

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects deployments where users can upload or load LightGBM scikit-learn models. The vulnerability is in the model deserialization process.

📦 What is this software?

Mlflow by Lfprojects

View all CVEs affecting Mlflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attackers to execute arbitrary commands, steal data, deploy ransomware, or pivot to other systems in the network.

🟠

Likely Case

Data exfiltration from MLflow servers, credential theft, and installation of backdoors for persistent access.

🟢

If Mitigated

Limited impact if proper network segmentation, model validation, and least privilege access controls are implemented.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to upload models to MLflow. The vulnerability is in the deserialization of pickle files within LightGBM models.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.14.0

Vendor Advisory: https://hiddenlayer.com/sai-security-advisory/mlflow-june2024

Restart Required: Yes

Instructions:

1. Upgrade MLflow to version 2.14.0 or later
2. Restart all MLflow services
3. Verify the upgrade was successful by checking the version

🔧 Temporary Workarounds

Disable LightGBM model loading

all

Temporarily disable loading of LightGBM scikit-learn models until patching is complete

Configure MLflow to reject LightGBM model uploads at the API level

Implement model validation

all

Add validation layer to inspect models before loading

Implement pre-loading checks for pickle files in uploaded models

🧯 If You Can't Patch

Implement strict network segmentation to isolate MLflow servers from critical systems
Enforce least privilege access controls and audit all model uploads

🔍 How to Verify

Check if Vulnerable:

Check MLflow version: if version is 1.23.0 or newer and less than 2.14.0, the system is vulnerable

Check Version:

mlflow --version

Verify Fix Applied:

Verify MLflow version is 2.14.0 or later and test that LightGBM model loading functions properly

📡 Detection & Monitoring

Log Indicators:

Unusual model uploads from unexpected sources
Errors during model deserialization
Suspicious command execution in MLflow logs

Network Indicators:

Unexpected outbound connections from MLflow servers
Large model uploads from untrusted sources

SIEM Query:

source="mlflow" AND (event="model_upload" OR event="model_load") | stats count by src_ip, model_type

📊 Metadata

CVE ID: CVE-2024-37056

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: June 4, 2024

Last Updated: February 3, 2025

🔗 References

https://hiddenlayer.com/sai-security-advisory/mlflow-june2024 Exploit,Third Party Advisory
https://hiddenlayer.com/sai-security-advisory/mlflow-june2024 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37056, you might also want to check these: