Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-14279

CVE-2025-14279: Lfprojects MLflow CSRF Vulnerability

CVE-2025-14279 is a CSRF vulnerability in Lfprojects MLflow that enables DNS rebinding attacks, allowing malicious sites to execute unauthorized REST API calls. This article covers technical details, affected versions, and patches.

Updated:

CVE-2025-14279 Overview

CVE-2025-14279 is a DNS rebinding vulnerability in the MLFlow REST server affecting all versions up to and including 3.4.0. The MLFlow server fails to validate the HTTP Origin header on incoming REST requests. This omission allows a malicious website visited by a user on the same network as an MLFlow instance to bypass Same-Origin Policy (SOP) protections and issue authenticated calls to MLFlow endpoints. An attacker can query, update, and delete experiments, leading to data exfiltration, destruction, or manipulation of machine learning artifacts. The issue is categorized under [CWE-346: Origin Validation Error] and is resolved in MLFlow version 3.5.0.

Critical Impact

Unauthenticated attackers can trigger experiment data theft and destruction in MLFlow tracking servers through a victim's browser without direct network access.

Affected Products

  • MLFlow (lfprojects) versions up to and including 3.4.0
  • MLFlow REST tracking server deployments exposed to user browsers on local networks
  • Fixed in MLFlow 3.5.0

Discovery Timeline

  • 2026-01-12 - CVE-2025-14279 published to NVD
  • 2026-04-14 - Last updated in NVD database

Technical Details for CVE-2025-14279

Vulnerability Analysis

The MLFlow REST server processes incoming HTTP requests without verifying the Origin header against an allowlist of trusted origins. Browsers attach the Origin header to cross-origin requests, and servers that handle sensitive state-changing operations must validate it to prevent unauthorized cross-site interactions. MLFlow's tracking API exposes endpoints for creating, reading, updating, and deleting experiments, runs, and registered models. Without origin validation, these endpoints accept requests initiated by any web page a user visits while their browser can reach the MLFlow instance, typically on a private or loopback network.

Root Cause

The root cause is missing origin validation in the MLFlow REST server request-handling layer. The server treats requests as trusted based on network reachability alone. The fix in commit b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3 introduces Origin header checks to reject requests from untrusted origins. See the MLFlow patch commit for the implementation details.

Attack Vector

The attack relies on DNS rebinding. An attacker controls a domain such as attacker.example with a DNS record initially resolving to the attacker's server. A victim browsing the attacker's site loads JavaScript that begins making requests to attacker.example. The attacker then rebinds the DNS record to the IP address of the victim's internal MLFlow server (for example 127.0.0.1 or 10.0.0.5). Subsequent fetches from the same origin reach the MLFlow server, but the browser still considers them same-origin. Because MLFlow does not validate the Origin header, it processes API calls such as POST /api/2.0/mlflow/experiments/delete and returns response data the attacker script then exfiltrates. User interaction is required to load the attacker page, but no authentication credentials are needed by the attacker. Further technical context is available in the Huntr bounty listing.

Detection Methods for CVE-2025-14279

Indicators of Compromise

  • MLFlow access logs showing REST API calls with Origin headers referencing external domains unrelated to your MLFlow deployment
  • Unexpected experiments/delete, experiments/update, or runs/delete API calls outside scheduled pipelines or known user activity
  • DNS query patterns from endpoints resolving short-TTL records to internal RFC1918 addresses or 127.0.0.1
  • Outbound HTTP POSTs from user workstations to unfamiliar domains immediately following MLFlow API activity

Detection Strategies

  • Inspect MLFlow web server logs for requests whose Origin or Referer headers do not match approved internal hostnames
  • Correlate browser-initiated traffic patterns where a workstation issues sequential API calls to internal MLFlow endpoints without the user opening the MLFlow UI
  • Alert on DNS responses with TTLs below 60 seconds that resolve external domains to internal IP ranges, a signature of DNS rebinding

Monitoring Recommendations

  • Forward MLFlow access logs and DNS resolver logs to a centralized analytics platform for correlation and retention
  • Track experiment and run deletion events through MLFlow audit logging to detect destructive API activity
  • Monitor for newly registered external domains resolving to internal addresses in your egress DNS telemetry

How to Mitigate CVE-2025-14279

Immediate Actions Required

  • Upgrade MLFlow to version 3.5.0 or later on all tracking servers
  • Restrict MLFlow REST server exposure to authenticated reverse proxies that enforce Origin and Host header validation
  • Audit existing experiments and registered models for unauthorized modification or deletion since deployment
  • Place MLFlow servers behind network segmentation that blocks direct access from user workstation browsers

Patch Information

The fix is delivered in MLFlow 3.5.0 via commit b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3. The patch adds Origin header validation to the REST server request pipeline. Refer to the MLFlow GitHub commit for upgrade verification.

Workarounds

  • Deploy a reverse proxy such as nginx in front of MLFlow that rejects requests with Origin or Host headers not matching the approved server name
  • Bind the MLFlow server to a non-routable interface and require VPN or SSH tunneling for access
  • Configure a host-based firewall to allow MLFlow connections only from trusted backend services, not user workstations
bash
# Example nginx reverse proxy enforcing Host and Origin validation
server {
    listen 443 ssl;
    server_name mlflow.internal.example;

    if ($http_host != "mlflow.internal.example") {
        return 403;
    }

    if ($http_origin !~ "^https?://mlflow\.internal\.example$") {
        return 403;
    }

    location / {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.