-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe advisory explicitly identifies _load_model_from_local_file in sklearn/init.py as the vulnerable entry point for CVE-2024-37053. The function directly uses unsafe deserialization methods (pickle/cloudpickle.load()) on user-controlled model files. This matches the CWE-502 pattern of untrusted deserialization and is specifically called by mlflow.sklearn.load_model, which is the primary attack vector described in the vulnerability reports.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| mlflow | pip | >= 1.1.0, <= 2.14.1 |