CVE-2025-1473
📋 TL;DR
A Cross-Site Request Forgery vulnerability in MLflow's signup feature allows attackers to create unauthorized accounts by tricking authenticated users into submitting malicious requests. This affects MLflow deployments running versions 2.17.0 through 2.20.1 with the signup feature enabled. The created accounts could then be used to perform actions within the MLflow platform.
💻 Affected Systems
- mlflow/mlflow
📦 What is this software?
Mlflow by Lfprojects
⚠️ Risk & Real-World Impact
Worst Case
Attackers create administrative accounts, gain full control of the MLflow instance, exfiltrate sensitive ML models and data, or disrupt ML operations.
Likely Case
Attackers create regular user accounts to access MLflow features, view model artifacts, or submit malicious ML jobs.
If Mitigated
With proper CSRF protections, attackers cannot create accounts without explicit user consent, limiting impact to authorized account creation only.
🎯 Exploit Status
Requires tricking authenticated user into visiting malicious page; exploit requires understanding of MLflow's signup endpoint structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.20.2 and later
Vendor Advisory: https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628
Restart Required: No
Instructions:
1. Update MLflow to version 2.20.2 or later using pip: 'pip install --upgrade mlflow>=2.20.2' 2. Verify the update completed successfully 3. No restart required as fix is in application code
🔧 Temporary Workarounds
Disable Signup Feature
allTemporarily disable user signup functionality to prevent account creation via CSRF
Set environment variable: export MLFLOW_AUTH_ENABLE_SIGNUP=false
Or modify mlflow configuration to disable signup
Implement CSRF Tokens Manually
allAdd CSRF protection to signup endpoints if unable to patch immediately
Implement CSRF token validation in MLflow authentication middleware
🧯 If You Can't Patch
- Disable the signup feature entirely and use manual account provisioning
- Implement network-level protections like WAF rules to block suspicious signup requests
- Enable multi-factor authentication for all administrative accounts
🔍 How to Verify
Check if Vulnerable:
Check MLflow version: if between 2.17.0 and 2.20.1 and signup is enabled, system is vulnerableCheck Version:
python -c "import mlflow; print(mlflow.__version__)"Verify Fix Applied:
Verify MLflow version is 2.20.2 or later and test signup functionality with CSRF attempts📡 Detection & Monitoring
Log Indicators:
- Multiple account creation attempts from same IP
- Account creations without corresponding login events
- Unusual user agent strings in signup requests
Network Indicators:
- POST requests to /signup endpoint without Referer headers
- Signup requests originating from unexpected domains
SIEM Query:
source="mlflow.log" AND (event="user_signup" OR endpoint="/signup") | stats count by src_ip, user_agent