CVE-2024-37054

HIGH

MLflow >= 0.9.0 - Remote Code Execution via PyFunc Model Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 6 public exploits for CVE-2024-37054. PoCs published by ben-slates, NiteeshPujari, vanhari.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-37054, targeting MLflow's pickle deserialization vulnerability. The exploit chain includes authentication, model upload, and payload execution via a malicious pickle file.

Description

Deserialization of untrusted data can occur in versions of the MLflow platform running version 0.9.0 or newer, enabling a maliciously uploaded PyFunc model to run arbitrary code on an end user’s system when interacted with.

Exploits (6)

nomisec WORKING POC 1 stars
by ben-slates · poc
https://github.com/ben-slates/CVE-2024-37054

This repository contains a functional exploit for CVE-2024-37054, targeting MLflow's pickle deserialization vulnerability. The exploit chain includes authentication, model upload, and payload execution via a malicious pickle file.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MLflow < 2.14.3
Auth required
Prerequisites: MLflow Tracking Server access · Valid credentials for authentication · Network access to target
devstral-2 · analyzed May 17, 2026 Full analysis →
nomisec WORKING POC 1 stars
by NiteeshPujari · poc
https://github.com/NiteeshPujari/CVE-2024-37054-MLflow-RCE

This repository contains a functional Proof of Concept (PoC) for CVE-2024-37054, demonstrating a deserialization vulnerability in MLflow that allows Remote Code Execution (RCE). The PoC includes scripts to log a malicious model and load it, triggering arbitrary command execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MLflow versions 0.9.0 to 2.14.1
No auth needed
Prerequisites: Vulnerable MLflow server (version 0.9.0 to 2.14.1) · Ability to log a malicious model to the MLflow server
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github STUB
by vanhari · poc
https://github.com/vanhari/CVE-2024-37054

The repository contains only a minimal README with a title and brief description of CVE-2024-37054, but no actual exploit code, technical details, or proof-of-concept implementation.

Classification
Stub 90%
Attack Type
Rce
Complexity
Theoretical
Reliability
Theoretical
Target: MLflow (version unspecified)
No auth needed
Prerequisites: none specified
devstral-2 · analyzed May 20, 2026 Full analysis →
github WORKING POC
by tristanqtn · pythonpoc
https://github.com/tristanqtn/CVE-2024-37054

The repository contains a functional exploit for CVE-2024-37054, which leverages unsafe deserialization in MLflow's pyfunc module to achieve remote code execution. The exploit automates the process of discovering models, uploading a malicious pickle payload, and triggering its execution.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MLflow 0.9.0 – 2.14.1
Auth required
Prerequisites: Access to MLflow tracking server · Valid credentials for MLflow and target application · Endpoint that triggers model loading
devstral-2 · analyzed May 19, 2026 Full analysis →
github WORKING POC
by Spydomain · pythonpoc
https://github.com/Spydomain/CVE-2024-37054-MLflow-reverse-shell

This repository contains a functional exploit for CVE-2024-37054, leveraging pickle deserialization in MLflow to achieve unauthenticated remote code execution (RCE). The exploit generates a malicious pickle file with a reverse shell payload, uploads it to MLflow, and promotes it to Production, triggering execution upon a prediction request.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MLflow (version not specified, but likely affects multiple versions)
Auth required
Prerequisites: MLflow instance with accessible REST API · valid credentials for MLflow authentication · network access to the target MLflow server · ability to trigger the /predict endpoint
devstral-2 · analyzed May 18, 2026 Full analysis →
nomisec WORKING POC
by jimmexploit · poc
https://github.com/jimmexploit/CVE-2024-37054-PoC

This repository contains a functional exploit for CVE-2024-37054, a deserialization vulnerability in MLflow versions 0.9.0 to 2.14.1. The exploit leverages malicious pickle payloads to achieve remote code execution when a pyfunc model is loaded via `mlflow.pyfunc.load_model()`.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: MLflow versions 0.9.0 to 2.14.1
Auth required
Prerequisites: Access to MLflow API · Valid session cookie for authentication
devstral-2 · analyzed May 18, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0070
EPSS Percentile 48.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-502
Status published
Products (2)
lfprojects/mlflow 0.9.0
pypi/mlflow 0.9.0PyPI
Published Jun 04, 2024
Tracked Since Feb 18, 2026