CVE-2025-1473 — HIGH (CVSS 7.1) AI Security Vulnerability

Q: Is CVE-2025-1473 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1473, increasing the risk of exploitation.

Q: How to fix CVE-2025-1473?

1. PATCH: Upgrade MLflow to 2.20.3 immediately (fix commit: ecfa61cb43d3303589f3b5834fd95991c9706628). 2. NETWORK: Restrict MLflow server access to internal networks/VPN — no public exposure without WAF or reverse proxy with CSRF protection. 3. AUDIT: Review user accounts in MLflow for unauthorized registrations post-2025-01-01 (check /api/2.0/mlflow/users/list if using built-in auth). 4. ROTATE: If exposure was possible, rotate any MLflow API tokens and review access logs for anomalous activity. 5. DETECT: Alert on new account creation events in MLflow audit logs; correlate with known IP ranges. 6. WORKAROUND (if patching is delayed): Disable self-registration if not required, or enforce SSO/OIDC via a proxy.

Q: What systems are affected by CVE-2025-1473?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking, model serving.

Q: What is the CVSS score for CVE-2025-1473?

CVE-2025-1473 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.16%.

CISO Take

An attacker can trick any user's browser into registering an attacker-controlled account on your MLflow server, bypassing intended access controls. This gives the attacker a persistent foothold in your ML experiment tracking platform with access to models, artifacts, and potentially training data. Patch to MLflow 2.20.3 immediately and verify your MLflow instance is not publicly reachable without network-level controls.

Risk Assessment

Risk is MEDIUM-HIGH for organizations with internet-exposed MLflow deployments and LOW for those with network-restricted instances. CVSS 7.1 and low attack complexity make this straightforward to exploit, but user interaction is required (victim must visit attacker-controlled page). EPSS of 0.00055 indicates no current observed exploitation in the wild. The confidentiality impact is HIGH because a rogue account grants full access to experiments, registered models, run artifacts, and any secrets stored in MLflow tracking server — making this disproportionately dangerous in AI/ML environments where sensitive model IP and training pipelines live.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →
mlflow	pip	>= 2.17.0, < 2.20.3	`2.20.3`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 37% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I Low

A None

Recommended Action

6 steps

PATCH

Upgrade MLflow to 2.20.3 immediately (fix commit: ecfa61cb43d3303589f3b5834fd95991c9706628).
NETWORK

Restrict MLflow server access to internal networks/VPN — no public exposure without WAF or reverse proxy with CSRF protection.
AUDIT

Review user accounts in MLflow for unauthorized registrations post-2025-01-01 (check /api/2.0/mlflow/users/list if using built-in auth).
ROTATE

If exposure was possible, rotate any MLflow API tokens and review access logs for anomalous activity.
DETECT

Alert on new account creation events in MLflow audit logs; correlate with known IP ranges.
WORKAROUND (if patching is delayed): Disable self-registration if not required, or enforce SSO/OIDC via a proxy.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Framework Training Data AML.T0012 - Valid Accounts AML.T0021 - Establish Accounts AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.3 - Access control to AI systems

NIST AI RMF

GOVERN 6.1 - Policies and processes are in place for the secure development and deployment of AI systems MANAGE 2.4 - Risks are prioritized based on assessed likelihood and impact

OWASP LLM Top 10

LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2025-1473?

An attacker can trick any user's browser into registering an attacker-controlled account on your MLflow server, bypassing intended access controls. This gives the attacker a persistent foothold in your ML experiment tracking platform with access to models, artifacts, and potentially training data. Patch to MLflow 2.20.3 immediately and verify your MLflow instance is not publicly reachable without network-level controls.

Is CVE-2025-1473 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1473, increasing the risk of exploitation.

How to fix CVE-2025-1473?

1. PATCH: Upgrade MLflow to 2.20.3 immediately (fix commit: ecfa61cb43d3303589f3b5834fd95991c9706628). 2. NETWORK: Restrict MLflow server access to internal networks/VPN — no public exposure without WAF or reverse proxy with CSRF protection. 3. AUDIT: Review user accounts in MLflow for unauthorized registrations post-2025-01-01 (check /api/2.0/mlflow/users/list if using built-in auth). 4. ROTATE: If exposure was possible, rotate any MLflow API tokens and review access logs for anomalous activity. 5. DETECT: Alert on new account creation events in MLflow audit logs; correlate with known IP ranges. 6. WORKAROUND (if patching is delayed): Disable self-registration if not required, or enforce SSO/OIDC via a proxy.

What systems are affected by CVE-2025-1473?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking, model serving.

What is the CVSS score for CVE-2025-1473?

CVE-2025-1473 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.16%.

Technical Details

NVD Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

Exploitation Scenario

Attacker targets a data science team using MLflow 2.17.x-2.20.1 with its built-in auth. They craft a minimal HTML page with a hidden form auto-submitting a POST to the victim org's MLflow signup endpoint (e.g., https://mlflow.internal/signup) with attacker-chosen credentials. The attacker embeds this in a phishing email or compromised internal wiki page. When a data scientist visits the page — even briefly — their browser silently submits the form using their session context, creating a new attacker-controlled account on the MLflow server. The attacker then logs in at their leisure, exports all registered model versions, downloads artifact stores containing model weights, and reads experiment parameters that may reveal infrastructure details, API keys logged as run params, or proprietary hyperparameter configurations.