CVE-2025-1474 – mlflow

Package

Manager: pip
Name: mlflow
Vulnerable Version: >=0 <2.19.0

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.139

Details

MLflow has Weak Password Requirements In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

Metadata

Created: 2025-03-20T12:32:53Z
Modified: 2025-04-09T20:06:06Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-4rj2-9gcx-5qhx/GHSA-4rj2-9gcx-5qhx.json
CWE IDs: ["CWE-521"]
Alternative ID: GHSA-4rj2-9gcx-5qhx
Finding: F053
Auto approve: 1