{"data":{"id":"a9c1295a-9b68-4afa-bdf9-d299edb1eaeb","title":"CVE-2024-37059: Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.5.0 or newer, enabling ","summary":"CVE-2024-37059 is a vulnerability in MLflow (a platform for managing machine learning workflows) version 0.5.0 and newer where deserialization of untrusted data (converting data from an external format into usable code without verifying it's safe) can occur. An attacker can upload a malicious PyTorch model (a type of machine learning model file) that executes arbitrary code (runs any commands they choose) on a user's computer when the model is opened or used.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-37059","publishedAt":"2024-06-04T16:15:12.227Z","cveId":"CVE-2024-37059","cweIds":["CWE-502","CWE-502"],"cvssScore":"8.8","cvssSeverity":"high","severity":"high","attackType":["model_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["MLflow"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.0057,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-586"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"model","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}