HIGH 8.8

GHSA-cwgg-w6mp-w9hg

MLFlow unsafe deserialization

Details

Deserialization of untrusted data can occur in versions of the MLflow platform running version 2.5.0 or newer, enabling a maliciously uploaded Langchain AgentExecutor model to run arbitrary code on an end user’s system when interacted with.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mlflow

Introduced in: 2.5.0

No fixed version published yet for mlflow (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-37058 [ADVISORY]
https://github.com/mlflow/mlflow [PACKAGE]
https://hiddenlayer.com/sai-security-advisory/mlflow-june2024 [WEB]