Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-twnx-dt83-nuf3
Vulnerability ID VCID-twnx-dt83-nuf3
Aliases CVE-2025-14279
GHSA-pgqp-8h46-6x4j
Summary MLFlow is vulnerable to DNS rebinding attacks due to a lack of Origin header validation MLFlow versions up to and including 3.4.0 are vulnerable to DNS rebinding attacks due to a lack of Origin header validation in the MLFlow REST server. This vulnerability allows malicious websites to bypass Same-Origin Policy protections and execute unauthorized calls against REST endpoints. An attacker can query, update, and delete experiments via the affected endpoints, leading to potential data exfiltration, destruction, or manipulation. The issue is resolved in version 3.5.0.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-346 Origin Validation Error
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
There are no known severity scores.
Reference id Reference type URL
https://github.com/mlflow/mlflow
https://github.com/mlflow/mlflow/commit/b0ffd289e9b0d0cc32c9e3a9b9f3843ae83dbec3
https://github.com/mlflow/mlflow/pull/17910
https://huntr.com/bounties/ef478f72-2e4f-44dc-8055-fc06bef03108
CVE-2025-14279 https://nvd.nist.gov/vuln/detail/CVE-2025-14279
GHSA-pgqp-8h46-6x4j https://github.com/advisories/GHSA-pgqp-8h46-6x4j
No exploits are available.
There are no known vectors.

No EPSS data available for this vulnerability.

Date Actor Action Source VulnerableCode Version
2026-06-02T04:49:28.616437+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/mlflow/CVE-2025-14279.yml 38.6.0