AI Threat Alert AI Threat Alert

CVE-2025-11200: mlflow: security flaw enables exploitation

GHSA-6xj8-rrqx-r4cv CRITICAL
Published October 29, 2025
CISO Take

MLflow is the de facto ML lifecycle platform — if your team runs experiment tracking or a model registry, assume this instance is your crown jewels. A CVSS 9.8 unauthenticated network bypass means any attacker with network access owns your entire ML pipeline: models, training data, experiments, and artifacts. Patch to 2.22.0rc0 immediately or isolate MLflow behind a network-level auth proxy until you can patch.

Risk Assessment

CRITICAL. The CVSS 9.8 vector (AV:N/AC:L/PR:N/UI:N) is as bad as it gets: remotely exploitable, trivially simple, no prerequisites. MLflow instances are frequently exposed on internal networks with minimal segmentation, and sometimes accidentally internet-facing. The weak password bypass (CWE-521) likely means an empty or trivially guessable password is accepted. EPSS is currently low (0.00245) but this will increase rapidly once PoC tooling emerges — the zero-authentication condition makes mass scanning trivial. MLflow's privileged position in ML pipelines amplifies blast radius far beyond a typical web app breach.

Affected Systems

Package Ecosystem Vulnerable Range Patched
mlflow pip No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →
mlflow pip < 2.22.0rc0 2.22.0rc0
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade MLflow to >= 2.22.0rc0 immediately. Reference commit: 1f74f3f24d8273927b8db392c23e108576936c54.

  2. ISOLATE

    If patching is delayed, block external access to MLflow ports (default 5000) at the firewall/security group level. Place behind a reverse proxy (nginx/Caddy) with HTTP Basic Auth or mTLS as compensating control.

  3. AUDIT

    Review MLflow access logs for unexpected authenticated sessions, model registry changes, or artifact downloads in the past 90 days.

  4. INVENTORY

    Enumerate all MLflow instances in your environment — dev, staging, and prod. Shadow MLflow deployments are common in data science teams.

  5. DETECT

    Alert on MLflow login events from non-corporate IP ranges, unusual model promotion events, and bulk artifact downloads.

  6. CREDENTIAL ROTATION

    If any MLflow instance was exposed, assume all credentials stored in MLflow experiments (API keys, DB strings hardcoded in notebooks) are compromised.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Supply Chain Framework Model Training Data AML.T0010.001 AML.T0018.000 AML.T0025 AML.T0035 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System
ISO 42001
A.8.3 - AI Supply Chain Security A.9.2 - AI System Access Control
NIST AI RMF
GOVERN-6.2 - AI Risk in the Supply Chain MANAGE-2.4 - Residual Risks and Countermeasures
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Insecure Plugin and Tool Design

Frequently Asked Questions

What is CVE-2025-11200?

MLflow is the de facto ML lifecycle platform — if your team runs experiment tracking or a model registry, assume this instance is your crown jewels. A CVSS 9.8 unauthenticated network bypass means any attacker with network access owns your entire ML pipeline: models, training data, experiments, and artifacts. Patch to 2.22.0rc0 immediately or isolate MLflow behind a network-level auth proxy until you can patch.

Is CVE-2025-11200 actively exploited?

No confirmed active exploitation of CVE-2025-11200 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-11200?

1. PATCH: Upgrade MLflow to >= 2.22.0rc0 immediately. Reference commit: 1f74f3f24d8273927b8db392c23e108576936c54. 2. ISOLATE: If patching is delayed, block external access to MLflow ports (default 5000) at the firewall/security group level. Place behind a reverse proxy (nginx/Caddy) with HTTP Basic Auth or mTLS as compensating control. 3. AUDIT: Review MLflow access logs for unexpected authenticated sessions, model registry changes, or artifact downloads in the past 90 days. 4. INVENTORY: Enumerate all MLflow instances in your environment — dev, staging, and prod. Shadow MLflow deployments are common in data science teams. 5. DETECT: Alert on MLflow login events from non-corporate IP ranges, unusual model promotion events, and bulk artifact downloads. 6. CREDENTIAL ROTATION: If any MLflow instance was exposed, assume all credentials stored in MLflow experiments (API keys, DB strings hardcoded in notebooks) are compromised.

What systems are affected by CVE-2025-11200?

This vulnerability affects the following AI/ML architecture patterns: MLOps pipelines, model registry, training pipelines, experiment tracking systems, model serving infrastructure, automated ML CI/CD pipelines.

What is the CVSS score for CVE-2025-11200?

CVE-2025-11200 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916.

Exploitation Scenario

An adversary performing reconnaissance against an AI-enabled organization scans for MLflow's default port 5000 or discovers the instance via exposed environment variables or internal documentation. They attempt authentication with a blank password or trivially weak credential (e.g., 'admin'/'admin'), bypassing the authentication check due to CWE-521. Once authenticated, the attacker browses the model registry to identify the organization's production models, downloads them for offline IP theft, and uploads a trojanized version of the most-used model with identical metadata. Because many MLflow deployments use automated promotion pipelines, the poisoned model is promoted to the production serving endpoint without human review. The model now exfiltrates inference inputs or produces subtly manipulated outputs — detected only when downstream business metrics degrade.

Weaknesses (CWE)

CWE-521 Weak Password Requirements Primary CWE-521

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
October 29, 2025
Last Modified
December 31, 2025
First Seen
October 29, 2025

Related Vulnerabilities

CRITICAL CVE-2025-15379 10.0

MLflow: RCE via unsanitized model dependency specs

Same package: mlflow
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same package: mlflow
CRITICAL CVE-2023-2780 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
CRITICAL CVE-2026-2635 9.8

mlflow: security flaw enables exploitation

Same package: mlflow
CRITICAL CVE-2023-1177 9.8

MLflow: path traversal allows arbitrary file read/write

Same package: mlflow
Back to Threat Feed