Skip to main content
CVE Vulnerability Database

CVE-2025-1473: Lfprojects Mlflow CSRF Vulnerability

CVE-2025-1473 is a Cross-Site Request Forgery vulnerability in Lfprojects Mlflow versions 2.17.0 to 2.20.1 that enables attackers to create unauthorized accounts. This article covers technical details, impact, and mitigation.

Updated:

CVE-2025-1473 Overview

CVE-2025-1473 is a Cross-Site Request Forgery (CSRF) vulnerability in the Signup feature of MLflow versions 2.17.0 through 2.20.1. The flaw allows attackers to trick authenticated victims into submitting unauthorized account creation requests. Once a new account is created through the forged request, the attacker can use it to perform unauthorized actions within the MLflow tracking server. The vulnerability is categorized under [CWE-352] and affects the open-source machine learning lifecycle management platform maintained by the Linux Foundation Projects.

Critical Impact

Attackers can create rogue accounts via CSRF, enabling unauthorized access to ML experiments, models, and tracking data hosted in MLflow.

Affected Products

  • MLflow versions 2.17.0 through 2.20.1
  • lfprojects:mlflow Signup endpoint
  • MLflow tracking server deployments with user authentication enabled

Discovery Timeline

  • 2025-03-20 - CVE-2025-1473 published to NVD
  • 2025-08-05 - Last updated in NVD database

Technical Details for CVE-2025-1473

Vulnerability Analysis

The Signup feature in MLflow accepts account creation requests without validating an anti-CSRF token. An attacker hosts a malicious page that triggers a cross-origin POST request to the MLflow /signup endpoint. When an authenticated MLflow user visits this page, their browser submits the forged request with attacker-controlled credentials. The MLflow server processes the request and provisions a new account under attacker-defined parameters.

The newly created account inherits default privileges configured on the MLflow tracking server. Attackers leverage this foothold to enumerate experiments, modify registered models, or exfiltrate artifacts. User interaction is required because the victim must visit the attacker-controlled page, which aligns with the EPSS probability of 0.16% reflecting limited active exploitation.

Root Cause

The root cause is the absence of CSRF protection on the Signup endpoint. MLflow does not verify a synchronizer token, double-submit cookie, or Origin/Referer header before processing account creation. State-changing requests are accepted purely based on session context, which the browser supplies automatically across origins.

Attack Vector

The attack is delivered over the network via a malicious web page or email link. The attacker crafts an HTML form or fetch() call targeting the MLflow Signup endpoint. When the victim loads the page, the browser issues the request to the MLflow server. The server creates the account because no CSRF defenses are enforced.

python
# Patch context from mlflow/__init__.py
# Source: https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628
     get_current_active_span,
     get_last_active_trace,
     get_trace,
+    log_trace,
     search_traces,
     start_span,
     trace,

Source: MLflow GitHub Commit ecfa61c

Detection Methods for CVE-2025-1473

Indicators of Compromise

  • Unexpected new accounts in the MLflow user database, particularly with anomalous usernames or email addresses
  • HTTP POST requests to /signup with Referer or Origin headers pointing to unknown external domains
  • Spikes in account creation activity outside normal onboarding patterns
  • Sessions from newly created accounts immediately accessing sensitive model registries or experiments

Detection Strategies

  • Review MLflow access logs for /signup requests where the Origin header does not match the MLflow server hostname
  • Correlate account creation events with referrer URLs to identify cross-origin submissions
  • Implement alerting on bulk account creation from a single source IP or within short time windows

Monitoring Recommendations

  • Forward MLflow web server access logs to a centralized SIEM for retention and correlation
  • Track changes to the MLflow user store, including timestamps and source IPs for each new account
  • Monitor downstream actions performed by recently created accounts, including model registrations and artifact downloads

How to Mitigate CVE-2025-1473

Immediate Actions Required

  • Upgrade MLflow to a version later than 2.20.1 that includes the fix from commit ecfa61c
  • Audit all existing user accounts and disable any created during the vulnerable window without authorization
  • Restrict access to the MLflow tracking server to trusted networks until the patch is applied

Patch Information

The maintainers addressed the vulnerability in commit ecfa61cb43d3303589f3b5834fd95991c9706628. Operators should upgrade to a release that includes this commit. Reference the MLflow GitHub Commit and the Huntr Bug Bounty Report for full remediation details.

Workarounds

  • Disable the Signup feature if open account registration is not required
  • Place the MLflow tracking server behind a reverse proxy that enforces Origin and Referer header validation
  • Require multi-factor authentication for any administrative account on the MLflow server
  • Apply network-level access controls such as VPN or IP allowlists to restrict who can reach the Signup endpoint
bash
# Example reverse proxy rule to block cross-origin signup requests (nginx)
location /signup {
    if ($http_origin !~ "^https://mlflow\.internal\.example\.com$") {
        return 403;
    }
    proxy_pass http://mlflow_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.