CVE-2025-15381 — HIGH (CVSS 8.1)

Q: Is CVE-2025-15381 actively exploited?

No confirmed active exploitation of CVE-2025-15381 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-15381?

1. Patch: Update to the fixed MLflow version as soon as available (monitor https://github.com/mlflow/mlflow/releases and the huntr disclosure). 2. Immediate workaround: Place MLflow behind a network perimeter (VPN/firewall) so only authorized users can authenticate at all — reducing the blast radius of the missing endpoint-level authz. 3. Audit access: Review who holds any valid MLflow credential; revoke dormant accounts. 4. Rotate secrets: If trace logs may contain API keys or credentials passed as model inputs, rotate them. 5. Detection: Review MLflow access logs for cross-experiment trace reads by users who own no runs in those experiments. 6. Consider disabling assessments feature if not in active use until patched.

Q: What systems are affected by CVE-2025-15381?

This vulnerability affects the following AI/ML architecture patterns: MLOps experiment tracking platforms, LLM fine-tuning pipelines, Model evaluation and promotion pipelines, Multi-tenant ML development environments, RAG development and evaluation workflows.

Q: What is the CVSS score for CVE-2025-15381?

CVE-2025-15381 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.01%.

CISO Take

Any authenticated MLflow user — including accounts explicitly granted NO_PERMISSIONS — can read trace data and inject assessments on experiments they own nothing. If your ML platform runs `mlflow server --app-name=basic-auth`, assume all trace contents (prompts, inputs, outputs, metadata) are readable by every internal user until patched. Update MLflow immediately and audit who has any valid credential on your instance.

What is the risk?

Medium-High for organizations running MLflow with basic-auth. Exploitability is trivial — any valid login suffices, no privilege escalation needed. Impact depends on what lives in traces: production LLM call logs frequently contain PII, proprietary prompts, API keys embedded in inputs, and business-sensitive model outputs. The integrity dimension (creating fraudulent assessments) is particularly dangerous for teams using MLflow evaluations to gate model promotion to production — an attacker could silently corrupt model quality signals.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	<= 3.8.1	No patch
25.8K OpenSSF 4.7 624 dependents Pushed 5d ago 23% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

8.1 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 2% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A None

What should I do?

6 steps

Patch: Update to the fixed MLflow version as soon as available (monitor https://github.com/mlflow/mlflow/releases and the huntr disclosure).
Immediate workaround: Place MLflow behind a network perimeter (VPN/firewall) so only authorized users can authenticate at all — reducing the blast radius of the missing endpoint-level authz.
Audit access: Review who holds any valid MLflow credential; revoke dormant accounts.
Rotate secrets: If trace logs may contain API keys or credentials passed as model inputs, rotate them.
Detection: Review MLflow access logs for cross-experiment trace reads by users who own no runs in those experiments.
Consider disabling assessments feature if not in active use until patched.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Data Leakage Framework Training Data AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0059 - Erode Dataset Integrity

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 10 - Data and data governance Article 17 - Quality management system

ISO 42001

6.5 - Information security in AI systems 8.4 - AI system lifecycle — Data management

NIST AI RMF

GOVERN 1.2 - Accountability structures are in place MANAGE 2.2 - Mechanisms are in place for authorized users to report

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2025-15381?

Any authenticated MLflow user — including accounts explicitly granted NO_PERMISSIONS — can read trace data and inject assessments on experiments they own nothing. If your ML platform runs `mlflow server --app-name=basic-auth`, assume all trace contents (prompts, inputs, outputs, metadata) are readable by every internal user until patched. Update MLflow immediately and audit who has any valid credential on your instance.

Is CVE-2025-15381 actively exploited?

No confirmed active exploitation of CVE-2025-15381 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-15381?

1. Patch: Update to the fixed MLflow version as soon as available (monitor https://github.com/mlflow/mlflow/releases and the huntr disclosure). 2. Immediate workaround: Place MLflow behind a network perimeter (VPN/firewall) so only authorized users can authenticate at all — reducing the blast radius of the missing endpoint-level authz. 3. Audit access: Review who holds any valid MLflow credential; revoke dormant accounts. 4. Rotate secrets: If trace logs may contain API keys or credentials passed as model inputs, rotate them. 5. Detection: Review MLflow access logs for cross-experiment trace reads by users who own no runs in those experiments. 6. Consider disabling assessments feature if not in active use until patched.

What systems are affected by CVE-2025-15381?

This vulnerability affects the following AI/ML architecture patterns: MLOps experiment tracking platforms, LLM fine-tuning pipelines, Model evaluation and promotion pipelines, Multi-tenant ML development environments, RAG development and evaluation workflows.

What is the CVSS score for CVE-2025-15381?

CVE-2025-15381 has a CVSS v3.1 base score of 8.1 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators. This allows any authenticated user, including those with `NO_PERMISSIONS` on the experiment, to read trace information and create assessments for traces they should not have access to. This vulnerability impacts confidentiality by exposing trace metadata and integrity by allowing unauthorized creation of assessments. Deployments using `mlflow server --app-name=basic-auth` are affected.

Exploitation Scenario

A contractor or low-privilege service account is granted a MLflow credential with NO_PERMISSIONS to run a limited task. Using standard MLflow REST API calls to the unprotected `/api/2.0/mlflow/traces` and assessment endpoints, they enumerate and download traces from all experiments — including the production LLM fine-tuning experiments they were never authorized to see. The traces contain the full prompt templates, system instructions, and labeled training examples your team spent months curating. In parallel, the attacker creates fraudulent assessments marking a backdoored model variant as high-quality, potentially influencing automated model promotion pipelines that trust MLflow evaluation scores.