CVE-2025-11200: 
NixOS vulnerability analysis and mitigation

MLflow contains a weak password requirements authentication bypass vulnerability (CVE-2025-11200) discovered in versions up to 2.21.0. The vulnerability was reported to the vendor on April 9, 2025, and publicly disclosed on October 3, 2025. This security flaw affects the authentication mechanism in MLflow installations, where the specific issue exists within the handling of passwords due to insufficient password requirements (Zero Day Initiative, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) by NVD with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The root cause is identified as the lack of server-side validation for password length during user creation in the mlflow.server.auth.sqlalchemystore.SqlAlchemyStore.createuser function. Before the patch, the function would proceed to hash and store any password provided for a new user, regardless of its length, allowing attackers to create accounts with easily guessable, short, or even empty passwords (Miggo).

The vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Since authentication is not required to exploit this vulnerability, successful exploitation could lead to unauthorized access to the system with potential for complete system compromise, affecting the confidentiality, integrity, and availability of the affected system (NVD).

MLflow has released a patch to address this vulnerability in version 2.22.0rc0. The fix includes the addition of a validatepassword function that enforces password requirements on the backend, requiring passwords to be strings longer than 12 characters (GitHub Patch).