CVE-2025-1473: MLflow CSRF in signup

Q: Is CVE-2025-1473 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1473, increasing the risk of exploitation.

Q: How to fix CVE-2025-1473?

1. PATCH: Upgrade MLflow to 2.20.3 immediately (fix commit: ecfa61cb43d3303589f3b5834fd95991c9706628). 2. NETWORK: Restrict MLflow server access to internal networks/VPN — no public exposure without WAF or reverse proxy with CSRF protection. 3. AUDIT: Review user accounts in MLflow for unauthorized registrations post-2025-01-01 (check /api/2.0/mlflow/users/list if using built-in auth). 4. ROTATE: If exposure was possible, rotate any MLflow API tokens and review access logs for anomalous activity. 5. DETECT: Alert on new account creation events in MLflow audit logs; correlate with known IP ranges. 6. WORKAROUND (if patching is delayed): Disable self-registration if not required, or enforce SSO/OIDC via a proxy.

Q: What systems are affected by CVE-2025-1473?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking, model serving.

Q: What is the CVSS score for CVE-2025-1473?

CVE-2025-1473 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

CISO Take

An attacker can trick any user's browser into registering an attacker-controlled account on your MLflow server, bypassing intended access controls. This gives the attacker a persistent foothold in your ML experiment tracking platform with access to models, artifacts, and potentially training data. Patch to MLflow 2.20.3 immediately and verify your MLflow instance is not publicly reachable without network-level controls.

What is the risk?

Risk is MEDIUM-HIGH for organizations with internet-exposed MLflow deployments and LOW for those with network-restricted instances. CVSS 7.1 and low attack complexity make this straightforward to exploit, but user interaction is required (victim must visit attacker-controlled page). EPSS of 0.00055 indicates no current observed exploitation in the wild. The confidentiality impact is HIGH because a rogue account grants full access to experiments, registered models, run artifacts, and any secrets stored in MLflow tracking server — making this disproportionately dangerous in AI/ML environments where sensitive model IP and training pipelines live.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
MLflow	pip	—	No patch
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →
MLflow	pip	>= 2.17.0, < 2.20.3	`2.20.3`
26.6K OpenSSF 5.6 655 dependents Pushed 4d ago 31% patched ~51d to patch Full package profile →

How severe is it?

CVSS 3.1

7.1 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I Low

A None

What should I do?

6 steps

PATCH

Upgrade MLflow to 2.20.3 immediately (fix commit: ecfa61cb43d3303589f3b5834fd95991c9706628).
NETWORK

Restrict MLflow server access to internal networks/VPN — no public exposure without WAF or reverse proxy with CSRF protection.
AUDIT

Review user accounts in MLflow for unauthorized registrations post-2025-01-01 (check /api/2.0/mlflow/users/list if using built-in auth).
ROTATE

If exposure was possible, rotate any MLflow API tokens and review access logs for anomalous activity.
DETECT

Alert on new account creation events in MLflow audit logs; correlate with known IP ranges.
WORKAROUND (if patching is delayed): Disable self-registration if not required, or enforce SSO/OIDC via a proxy.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Extraction Framework Training Data AML.T0012 - Valid Accounts AML.T0021 - Establish Accounts AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.9.3 - Access control to AI systems

NIST AI RMF

GOVERN 6.1 - Policies and processes are in place for the secure development and deployment of AI systems MANAGE 2.4 - Risks are prioritized based on assessed likelihood and impact

OWASP LLM Top 10

LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2025-1473?

An attacker can trick any user's browser into registering an attacker-controlled account on your MLflow server, bypassing intended access controls. This gives the attacker a persistent foothold in your ML experiment tracking platform with access to models, artifacts, and potentially training data. Patch to MLflow 2.20.3 immediately and verify your MLflow instance is not publicly reachable without network-level controls.

Is CVE-2025-1473 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-1473, increasing the risk of exploitation.

How to fix CVE-2025-1473?

1. PATCH: Upgrade MLflow to 2.20.3 immediately (fix commit: ecfa61cb43d3303589f3b5834fd95991c9706628). 2. NETWORK: Restrict MLflow server access to internal networks/VPN — no public exposure without WAF or reverse proxy with CSRF protection. 3. AUDIT: Review user accounts in MLflow for unauthorized registrations post-2025-01-01 (check /api/2.0/mlflow/users/list if using built-in auth). 4. ROTATE: If exposure was possible, rotate any MLflow API tokens and review access logs for anomalous activity. 5. DETECT: Alert on new account creation events in MLflow audit logs; correlate with known IP ranges. 6. WORKAROUND (if patching is delayed): Disable self-registration if not required, or enforce SSO/OIDC via a proxy.

What systems are affected by CVE-2025-1473?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking, model serving.

What is the CVSS score for CVE-2025-1473?

CVE-2025-1473 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.20%.

What is the AI security impact?

Affected AI Architectures

MLOps platformsmodel registrytraining pipelinesexperiment trackingmodel serving

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0021 Establish Accounts

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.3

NIST AI RMF: GOVERN 6.1, MANAGE 2.4

OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

Exploitation Scenario

Attacker targets a data science team using MLflow 2.17.x-2.20.1 with its built-in auth. They craft a minimal HTML page with a hidden form auto-submitting a POST to the victim org's MLflow signup endpoint (e.g., https://mlflow.internal/signup) with attacker-chosen credentials. The attacker embeds this in a phishing email or compromised internal wiki page. When a data scientist visits the page — even briefly — their browser silently submits the form using their session context, creating a new attacker-controlled account on the MLflow server. The attacker then logs in at their leisure, exports all registered model versions, downloads artifact stores containing model weights, and reads experiment parameters that may reveal infrastructure details, API keys logged as run params, or proprietary hyperparameter configurations.

Weaknesses (CWE)

CWE-352 Cross-Site Request Forgery (CSRF) Primary CWE-352 Cross-Site Request Forgery (CSRF)

CWE-352 — Cross-Site Request Forgery (CSRF): The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, use anti-CSRF packages such as the OWASP CSRFGuard. [REF-330] Another example is the ESAPI Session Management control, which includes a component for CSRF. [REF-45]
[Implementation] Ensure that the application is free of cross-site scripting issues (CWE-79), because most CSRF defenses can be bypassed using attacker-controlled script.

Source: MITRE CWE corpus.