CVE-2025-1474

MEDIUM

mlflow/mlflow <2.19.0 - Info Disclosure

Title source: llm

Description

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

References (2)

[Patch] https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17

View Patch ZIP pw:eip

[Exploit, Third Party Advisory] https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d

Scores

CVSS v3 5.5

EPSS 0.0010

EPSS Percentile 28.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-521

Status published

Products (2)

lfprojects/mlflow < 2.19.0

pypi/mlflow 0 - 2.19.0PyPI

Published Mar 20, 2025

Tracked Since Feb 18, 2026