CVE-2024-37058: Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling
Summary
CVE-2024-37058 is a vulnerability in MLflow (a platform for managing machine learning workflows) version 2.5.0 and newer that allows deserialization of untrusted data (the process of converting data from storage into usable objects without checking if it's safe). An attacker can upload a malicious Langchain AgentExecutor model (a type of AI component) that runs arbitrary code on a user's system when that user interacts with it.
Vulnerability Details
8.8(high)
EPSS: 0.5%
Classification
Affected Vendors
Related Issues
CVE-2024-37052: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.1.0 or newer, enabling
CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-37058
First tracked: February 15, 2026 at 08:35 PM
Classified by LLM (prompt v3) · confidence: 92%