CVE-2024-37058: Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling
Summary
CVE-2024-37058 is a vulnerability in MLflow (a platform for managing machine learning workflows) version 2.5.0 and newer that allows deserialization of untrusted data (the process of converting data from storage into usable objects without checking if it's safe). An attacker can upload a malicious Langchain AgentExecutor model (a type of AI component) that runs arbitrary code on a user's system when that user interacts with it.
Vulnerability Details
8.8(high)
EPSS: 0.5%
Classification
Affected Vendors
Related Issues
CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-37058
First tracked: February 15, 2026 at 08:35 PM
Classified by LLM (prompt v3) · confidence: 92%