CVE-2025-1473 Overview
CVE-2025-1473 is a Cross-Site Request Forgery (CSRF) vulnerability in the Signup feature of MLflow versions 2.17.0 through 2.20.1. The flaw allows attackers to trick authenticated victims into submitting unauthorized account creation requests. Once a new account is created through the forged request, the attacker can use it to perform unauthorized actions within the MLflow tracking server. The vulnerability is categorized under [CWE-352] and affects the open-source machine learning lifecycle management platform maintained by the Linux Foundation Projects.
Critical Impact
Attackers can create rogue accounts via CSRF, enabling unauthorized access to ML experiments, models, and tracking data hosted in MLflow.
Affected Products
- MLflow versions 2.17.0 through 2.20.1
- lfprojects:mlflow Signup endpoint
- MLflow tracking server deployments with user authentication enabled
Discovery Timeline
- 2025-03-20 - CVE-2025-1473 published to NVD
- 2025-08-05 - Last updated in NVD database
Technical Details for CVE-2025-1473
Vulnerability Analysis
The Signup feature in MLflow accepts account creation requests without validating an anti-CSRF token. An attacker hosts a malicious page that triggers a cross-origin POST request to the MLflow /signup endpoint. When an authenticated MLflow user visits this page, their browser submits the forged request with attacker-controlled credentials. The MLflow server processes the request and provisions a new account under attacker-defined parameters.
The newly created account inherits default privileges configured on the MLflow tracking server. Attackers leverage this foothold to enumerate experiments, modify registered models, or exfiltrate artifacts. User interaction is required because the victim must visit the attacker-controlled page, which aligns with the EPSS probability of 0.16% reflecting limited active exploitation.
Root Cause
The root cause is the absence of CSRF protection on the Signup endpoint. MLflow does not verify a synchronizer token, double-submit cookie, or Origin/Referer header before processing account creation. State-changing requests are accepted purely based on session context, which the browser supplies automatically across origins.
Attack Vector
The attack is delivered over the network via a malicious web page or email link. The attacker crafts an HTML form or fetch() call targeting the MLflow Signup endpoint. When the victim loads the page, the browser issues the request to the MLflow server. The server creates the account because no CSRF defenses are enforced.
# Patch context from mlflow/__init__.py
# Source: https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628
get_current_active_span,
get_last_active_trace,
get_trace,
+ log_trace,
search_traces,
start_span,
trace,
Source: MLflow GitHub Commit ecfa61c
Detection Methods for CVE-2025-1473
Indicators of Compromise
- Unexpected new accounts in the MLflow user database, particularly with anomalous usernames or email addresses
- HTTP POST requests to /signup with Referer or Origin headers pointing to unknown external domains
- Spikes in account creation activity outside normal onboarding patterns
- Sessions from newly created accounts immediately accessing sensitive model registries or experiments
Detection Strategies
- Review MLflow access logs for /signup requests where the Origin header does not match the MLflow server hostname
- Correlate account creation events with referrer URLs to identify cross-origin submissions
- Implement alerting on bulk account creation from a single source IP or within short time windows
Monitoring Recommendations
- Forward MLflow web server access logs to a centralized SIEM for retention and correlation
- Track changes to the MLflow user store, including timestamps and source IPs for each new account
- Monitor downstream actions performed by recently created accounts, including model registrations and artifact downloads
How to Mitigate CVE-2025-1473
Immediate Actions Required
- Upgrade MLflow to a version later than 2.20.1 that includes the fix from commit ecfa61c
- Audit all existing user accounts and disable any created during the vulnerable window without authorization
- Restrict access to the MLflow tracking server to trusted networks until the patch is applied
Patch Information
The maintainers addressed the vulnerability in commit ecfa61cb43d3303589f3b5834fd95991c9706628. Operators should upgrade to a release that includes this commit. Reference the MLflow GitHub Commit and the Huntr Bug Bounty Report for full remediation details.
Workarounds
- Disable the Signup feature if open account registration is not required
- Place the MLflow tracking server behind a reverse proxy that enforces Origin and Referer header validation
- Require multi-factor authentication for any administrative account on the MLflow server
- Apply network-level access controls such as VPN or IP allowlists to restrict who can reach the Signup endpoint
# Example reverse proxy rule to block cross-origin signup requests (nginx)
location /signup {
if ($http_origin !~ "^https://mlflow\.internal\.example\.com$") {
return 403;
}
proxy_pass http://mlflow_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

