CVE-2024-37055: Deserialization of untrusted data can occur in versions of the MLflow platform running version 1.24.0 or newer, enabling
highvulnerability
security
Summary
CVE-2024-37055 is a vulnerability in MLflow (a machine learning platform) versions 1.24.0 and newer where deserialization of untrusted data (the process of converting saved data back into usable objects without checking if it's safe) can occur. This allows an attacker to upload a malicious pmdarima model (a machine learning model for time-series forecasting) that runs arbitrary code (any commands the attacker chooses) on a user's computer when the model is loaded and used.
Vulnerability Details
CVSS Score
8.8(high)
EPSS (30-day exploit probability)
EPSS: 0.5%
Classification
Attack Type
Model Poisoning
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2024-37055
First tracked: February 15, 2026 at 08:46 PM
Classified by LLM (prompt v3) · confidence: 92%