CVE-2025-1473 Overview
CVE-2025-1473 is a Cross-Site Request Forgery (CSRF) vulnerability in the Signup feature of mlflow/mlflow versions 2.17.0 through 2.20.1. The flaw allows an attacker to trick an authenticated victim's browser into submitting a forged signup request, creating an attacker-controlled account on the target MLflow instance. The newly created account can then be used to perform unauthorized actions inside the MLflow tracking server, including accessing experiments, models, and artifacts associated with the victim's environment.
Critical Impact
Remote attackers can create unauthorized MLflow user accounts through CSRF, enabling persistent access to machine learning experiments, registered models, and tracked artifacts without the victim's knowledge.
Affected Products
- MLflow 2.17.0
- MLflow versions between 2.17.0 and 2.20.1
- MLflow 2.20.1
Discovery Timeline
- 2025-03-20 - CVE-2025-1473 published to NVD
- 2025-08-05 - Last updated in NVD database
Technical Details for CVE-2025-1473
Vulnerability Analysis
The vulnerability is classified under [CWE-352] Cross-Site Request Forgery. MLflow's Signup endpoint accepts state-changing POST requests without validating an anti-CSRF token or verifying the request origin. An attacker can host a malicious page that triggers a cross-origin request to the MLflow signup route, causing the victim's browser to submit attacker-chosen credentials.
Because the Signup feature does not require authentication of the requester, the resulting account is created with attacker-controlled username and password values. The attacker then logs in directly using those credentials, bypassing the requirement for any session compromise of the victim.
MLflow tracking servers commonly store proprietary model code, training data references, and experiment metadata. Unauthorized account creation therefore exposes machine learning intellectual property and provides a foothold inside trusted ML infrastructure.
Root Cause
The root cause is the absence of CSRF protections on the /signup request handler. MLflow's basic authentication module did not implement anti-CSRF tokens, SameSite cookie restrictions on the relevant flows, or origin/referrer validation for the account creation endpoint.
Attack Vector
The attack vector is network-based and requires user interaction. The victim must visit an attacker-controlled web page while having network access to the targeted MLflow server. Detailed technical analysis is available in the Huntr Security Bounty report.
Detection Methods for CVE-2025-1473
Indicators of Compromise
- Unexpected new user accounts in the MLflow authentication database with no corresponding administrative provisioning record.
- HTTP POST requests to the MLflow /signup endpoint with Origin or Referer headers pointing to external, unrelated domains.
- Login activity from new accounts immediately following their creation, originating from IP addresses outside expected user networks.
Detection Strategies
- Audit the MLflow user table on a recurring schedule and alert on any account created outside of approved identity provisioning workflows.
- Inspect reverse proxy or web application firewall logs for cross-origin requests to MLflow authentication endpoints.
- Correlate signup events with subsequent access to experiments, registered models, and artifact storage to identify abuse patterns.
Monitoring Recommendations
- Forward MLflow application logs and access logs to a centralized logging or SIEM platform for retention and analysis.
- Configure alerts on bursts of signup attempts and on signups followed by immediate model registry or artifact downloads.
- Track outbound artifact access by newly created accounts to identify potential data exfiltration.
How to Mitigate CVE-2025-1473
Immediate Actions Required
- Upgrade MLflow to a version later than 2.20.1 that includes the upstream fix referenced in the MLflow commit ecfa61c.
- Review the MLflow user database and remove any accounts that were not created through approved provisioning.
- Restrict MLflow tracking server exposure to trusted internal networks or VPN-protected segments until patched.
Patch Information
The MLflow maintainers addressed the issue in commit ecfa61cb43d3303589f3b5834fd95991c9706628. The patch introduces CSRF protections for the Signup workflow. Administrators should update to a release that incorporates this commit and verify the deployed version is greater than 2.20.1.
Workarounds
- Disable the basic authentication Signup feature where self-registration is not required for the deployment.
- Place MLflow behind an authenticating reverse proxy that enforces origin validation and rejects cross-site POST requests to authentication endpoints.
- Apply network-level access controls to limit who can reach the MLflow tracking server, reducing the population of potential CSRF victims.
# Configuration example: upgrade MLflow and restrict network exposure
pip install --upgrade "mlflow>2.20.1"
# Example reverse proxy rule (nginx) to block cross-origin POSTs to /signup
# location /signup {
# if ($http_origin !~ "^https://mlflow\.internal\.example\.com$") { return 403; }
# proxy_pass http://mlflow_backend;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
