CVE-2025-52967 — MEDIUM (CVSS 5.8) AI Security Vulnerability

CISO Take

MLflow's AI gateway proxy accepts unvalidated paths, allowing any unauthenticated attacker to make the server issue arbitrary HTTP requests to internal infrastructure — including cloud metadata endpoints and internal APIs. If you run MLflow >=3.0.0rc0 in an internet-exposed or multi-tenant environment, upgrade to 3.1.0 immediately. Scope change in the CVSS vector (S:C) means blast radius extends beyond MLflow itself.

Risk Assessment

Medium severity but disproportionate exposure in AI/ML environments. EPSS is very low (0.00063) and not in CISA KEV, suggesting no active exploitation yet. However, the attack requires zero authentication, zero user interaction, and low complexity — a script-kiddie-level exploit once a PoC surfaces. The real risk is lateral movement: MLflow deployments typically sit on internal networks co-located with training clusters, model registries, and cloud metadata services (AWS IMDSv1, GCP metadata API). Scope change to 'C' confirms the impact reaches beyond the vulnerable component.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	>= 3.0.0rc0, < 3.1.0	`3.1.0`
25.7K OpenSSF 4.5 624 dependents Pushed 7d ago 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

5.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 48% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C None

I Low

A None

Recommended Action

5 steps

PATCH

Upgrade to MLflow 3.1.0 immediately — this is the only full remediation.
WORKAROUND

If upgrade is not immediately possible, place MLflow Gateway behind a WAF with SSRF protection rules blocking requests to RFC-1918 ranges and link-local addresses (169.254.0.0/16).
NETWORK

Enforce egress filtering on hosts running MLflow to block outbound connections to cloud metadata endpoints and internal CIDR ranges.
DETECTION

Monitor MLflow gateway logs for gateway_path values containing internal IP ranges, localhost, or cloud metadata URLs.
CLOUD

Enable IMDSv2 (token-required) on all EC2/cloud instances running MLflow to limit SSRF impact on credential theft.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Extraction Framework API AML.T0010.001 - AI Software AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application AML.T0075 - Cloud Service Discovery

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.4 - AI system security — network security controls

NIST AI RMF

MEASURE 2.6 - Risk monitoring and vulnerability management

OWASP LLM Top 10

LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2025-52967?

MLflow's AI gateway proxy accepts unvalidated paths, allowing any unauthenticated attacker to make the server issue arbitrary HTTP requests to internal infrastructure — including cloud metadata endpoints and internal APIs. If you run MLflow >=3.0.0rc0 in an internet-exposed or multi-tenant environment, upgrade to 3.1.0 immediately. Scope change in the CVSS vector (S:C) means blast radius extends beyond MLflow itself.

Is CVE-2025-52967 actively exploited?

No confirmed active exploitation of CVE-2025-52967 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-52967?

1. PATCH: Upgrade to MLflow 3.1.0 immediately — this is the only full remediation. 2. WORKAROUND: If upgrade is not immediately possible, place MLflow Gateway behind a WAF with SSRF protection rules blocking requests to RFC-1918 ranges and link-local addresses (169.254.0.0/16). 3. NETWORK: Enforce egress filtering on hosts running MLflow to block outbound connections to cloud metadata endpoints and internal CIDR ranges. 4. DETECTION: Monitor MLflow gateway logs for gateway_path values containing internal IP ranges, localhost, or cloud metadata URLs. 5. CLOUD: Enable IMDSv2 (token-required) on all EC2/cloud instances running MLflow to limit SSRF impact on credential theft.

What systems are affected by CVE-2025-52967?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model serving, AI gateway/proxy, training pipelines, cloud-hosted ML infrastructure.

What is the CVSS score for CVE-2025-52967?

CVE-2025-52967 has a CVSS v3.1 base score of 5.8 (MEDIUM). The EPSS exploitation probability is 0.25%.

Technical Details

NVD Description

gateway_proxy_handler in MLflow before 3.1.0 lacks gateway_path validation.

Exploitation Scenario

An attacker enumerates an organization's external attack surface and identifies a publicly accessible MLflow Gateway instance (common in data science teams that expose the UI for remote access). They send a crafted HTTP request to the gateway_proxy_handler endpoint with a gateway_path parameter pointing to http://169.254.254.169/latest/meta-data/iam/security-credentials/. MLflow, lacking path validation, forwards this request and returns AWS temporary credentials to the attacker. With these credentials, the attacker gains access to S3 buckets containing training data, model artifacts, or proprietary datasets — achieving AI artifact exfiltration without ever touching the ML models directly.