CVE-2025-52967
📋 TL;DR
This vulnerability in MLflow's gateway_proxy_handler allows attackers to bypass path validation, potentially leading to server-side request forgery (SSRF). It affects all MLflow deployments using the gateway proxy functionality before version 3.1.0. Attackers could exploit this to make unauthorized requests to internal systems.
💻 Affected Systems
- MLflow
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full SSRF allowing internal network reconnaissance, data exfiltration from internal services, or chaining with other vulnerabilities for remote code execution.
Likely Case
Limited SSRF to access internal HTTP services, potentially exposing sensitive APIs or internal application data.
If Mitigated
No impact if proper network segmentation and egress filtering are in place to restrict outbound requests from MLflow servers.
🎯 Exploit Status
Exploitation requires access to the gateway proxy endpoint. The vulnerability is in path validation logic, making exploitation straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.1.0
Vendor Advisory: https://github.com/mlflow/mlflow/releases/tag/v3.1.0
Restart Required: Yes
Instructions:
1. Upgrade MLflow to version 3.1.0 or later using pip: 'pip install mlflow>=3.1.0'. 2. Restart all MLflow services. 3. Verify the gateway proxy functionality still works as expected.
🔧 Temporary Workarounds
Disable Gateway Proxy
allTemporarily disable the vulnerable gateway proxy functionality if not required.
Configure MLflow to not use gateway proxy or disable the endpoint in your deployment configuration
Network Egress Filtering
allImplement strict outbound firewall rules to limit what the MLflow server can connect to.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate MLflow servers from sensitive internal systems
- Deploy a web application firewall (WAF) with SSRF protection rules in front of MLflow
🔍 How to Verify
Check if Vulnerable:
Check MLflow version: if using gateway proxy and version < 3.1.0, you are vulnerable.Check Version:
python -c "import mlflow; print(mlflow.__version__)"Verify Fix Applied:
Verify MLflow version is 3.1.0 or higher and test gateway proxy functionality with malformed paths to ensure they are rejected.📡 Detection & Monitoring
Log Indicators:
- Unusual gateway proxy requests with malformed paths
- Requests to internal IP addresses from MLflow gateway
Network Indicators:
- Outbound connections from MLflow server to unexpected internal services
- HTTP requests to internal IP ranges
SIEM Query:
source="mlflow.logs" AND (message="gateway_proxy" AND path="*../*" OR path="*://*")