CVE-2025-14279 — HIGH (CVSS 8.1) AI Security Vulnerability

Q: Is CVE-2025-14279 actively exploited?

No confirmed active exploitation of CVE-2025-14279 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-14279?

1. PATCH: Upgrade to MLFlow 3.5.0 immediately (`pip install --upgrade mlflow`). 2. NETWORK: Bind MLFlow server to localhost only (`mlflow server --host 127.0.0.1`) and enforce firewall rules blocking external access to the tracking port. 3. PROXY: If a shared MLFlow server is required, place nginx or traefik in front with explicit Origin header allowlist. 4. DETECT: Audit MLFlow access logs for unexpected experiment deletions, bulk parameter queries, or access from unfamiliar source IPs in the past 90 days. 5. SECRETS HYGIENE: Audit experiment parameters and tags for embedded API keys, credentials, or dataset access tokens—rotate any found. 6. LONG-TERM: Enable MLFlow's built-in authentication and enforce network-level access controls as baseline MLOps hygiene.

Q: What systems are affected by CVE-2025-14279?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML experiment tracking, model registry, MLOps platforms, data science workstations.

Q: What is the CVSS score for CVE-2025-14279?

CVE-2025-14279 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.03%.

CISO Take

Any team running MLFlow ≤ 3.4.0 is exposed to DNS rebinding attacks that allow attacker-controlled web pages to silently query, modify, or delete ML experiments via the local REST API without authentication. Patch to 3.5.0 immediately—this is a one-line pip upgrade. If patching is blocked, bind MLFlow to localhost only and deploy a reverse proxy with Origin header enforcement in front of it.

Risk Assessment

High risk for organizations where MLFlow is running on developer workstations or internal ML platforms without strict network segmentation. CVSS 8.1 reflects low attack complexity and high impact on confidentiality and integrity, offset by required user interaction (victim must visit a malicious page). The low EPSS (0.023%) suggests limited active exploitation today, but MLFlow's ubiquity in ML pipelines and the ease of DNS rebinding tooling make this an attractive low-sophistication target. Highest exposure is in organizations where data scientists run MLFlow locally with default settings and no authentication layer.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	< 3.5.0	`3.5.0`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

Recommended Action

6 steps

PATCH

Upgrade to MLFlow 3.5.0 immediately (pip install --upgrade mlflow).
NETWORK

Bind MLFlow server to localhost only (mlflow server --host 127.0.0.1) and enforce firewall rules blocking external access to the tracking port.
PROXY

If a shared MLFlow server is required, place nginx or traefik in front with explicit Origin header allowlist.
DETECT

Audit MLFlow access logs for unexpected experiment deletions, bulk parameter queries, or access from unfamiliar source IPs in the past 90 days.
SECRETS HYGIENE

Audit experiment parameters and tags for embedded API keys, credentials, or dataset access tokens—rotate any found.
LONG-TERM: Enable MLFlow's built-in authentication and enforce network-level access controls as baseline MLOps hygiene.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Data Leakage Framework API AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application AML.T0078 - Drive-by Compromise

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System for High-Risk AI Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security requirements A.6.2.5 - AI System Access and Use Controls A.8.3 - Security of AI System Development and Maintenance

NIST AI RMF

GOVERN 6.1 - Policies for AI risk and security are established and maintained MANAGE 2.2 - Mechanisms are in place to sustain the value and integrity of deployed AI systems MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM02 - Sensitive Information Disclosure LLM06:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-14279?

Any team running MLFlow ≤ 3.4.0 is exposed to DNS rebinding attacks that allow attacker-controlled web pages to silently query, modify, or delete ML experiments via the local REST API without authentication. Patch to 3.5.0 immediately—this is a one-line pip upgrade. If patching is blocked, bind MLFlow to localhost only and deploy a reverse proxy with Origin header enforcement in front of it.

Is CVE-2025-14279 actively exploited?

No confirmed active exploitation of CVE-2025-14279 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-14279?

1. PATCH: Upgrade to MLFlow 3.5.0 immediately (`pip install --upgrade mlflow`). 2. NETWORK: Bind MLFlow server to localhost only (`mlflow server --host 127.0.0.1`) and enforce firewall rules blocking external access to the tracking port. 3. PROXY: If a shared MLFlow server is required, place nginx or traefik in front with explicit Origin header allowlist. 4. DETECT: Audit MLFlow access logs for unexpected experiment deletions, bulk parameter queries, or access from unfamiliar source IPs in the past 90 days. 5. SECRETS HYGIENE: Audit experiment parameters and tags for embedded API keys, credentials, or dataset access tokens—rotate any found. 6. LONG-TERM: Enable MLFlow's built-in authentication and enforce network-level access controls as baseline MLOps hygiene.

What systems are affected by CVE-2025-14279?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML experiment tracking, model registry, MLOps platforms, data science workstations.

What is the CVSS score for CVE-2025-14279?

CVE-2025-14279 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.

Exploitation Scenario

An attacker registers a domain (e.g., mlops-toolkit-update.com) and hosts malicious JavaScript. They send a targeted phishing email to a data scientist on the victim team. The scientist visits the page while their local MLFlow tracking server runs on the default localhost:5000. The attacker's DNS server rotates the domain's A record to 127.0.0.1 after initial connection—classic DNS rebinding. The malicious JavaScript now issues `fetch()` calls to `http://mlops-toolkit-update.com:5000/api/2.0/mlflow/experiments/list`, which the browser permits because the origin appears to match. The script silently exfiltrates all experiment metadata, run parameters (including any embedded secrets), and artifact URIs, then optionally deletes experiments to destroy evidence. No authentication prompt is shown; the scientist notices nothing.