CVE-2025-1473
Published: 20 March 2025
Summary
CVE-2025-1473 is a high-severity CSRF (CWE-352) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly counters the CSRF vulnerability in MLflow's signup feature by requiring session authenticity mechanisms such as anti-CSRF tokens to prevent forged requests from creating unauthorized accounts.
Mandates validation of inputs to the signup endpoint, rejecting forged CSRF payloads that lack valid tokens or authenticity indicators.
Requires timely remediation of the specific CSRF flaw documented in CVE-2025-1473 via patching MLflow to versions beyond 2.20.1.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability enables exploitation of public-facing MLflow application (T1190) to create unauthorized accounts (T1136) for malicious use.
NVD Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious…
more
user.
Deeper analysisAI
CVE-2025-1473 is a Cross-Site Request Forgery (CSRF) vulnerability, classified under CWE-352, affecting the Signup feature in mlflow/mlflow versions 2.17.0 through 2.20.1. Published on 2025-03-20, it has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N). The flaw enables unauthorized account creation through forged requests.
An attacker with network access and no required privileges can exploit this by tricking an authenticated user into interacting with a malicious webpage or link (UI:R), such as clicking a button that submits a CSRF payload to the vulnerable Signup endpoint. Successful exploitation creates a new account under the attacker's control, which can then be used to perform unauthorized actions, potentially leading to high confidentiality impact through data access and low integrity impact via limited modifications.
Mitigation details are available in the project's GitHub commit ecfa61cb43d3303589f3b5834fd95991c9706628, which patches the issue, and via the Huntr bounty report at https://huntr.com/bounties/43dc50b6-7d1e-41b9-9f97-f28809df1d45. Security practitioners should upgrade to a fixed version beyond 2.20.1 and review CSRF protections in MLflow deployments.
Mlflow is an open-source platform for managing the machine learning lifecycle, making this vulnerability relevant to AI/ML environments where unauthorized account creation could compromise experiment tracking, model registries, or deployment workflows. No public evidence of real-world exploitation is noted in the provided details.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- MLflow is an open-source platform for managing the ML lifecycle (tracking, deployment, etc.), fitting 'Other Platforms' as it is neither a framework, library, nor specialized in NLP/CV/etc., but a general ML operations platform.