Cross-Site Request Forgery Flaw in mlflow Product by MLflow
CVE-2025-1473

5.4MEDIUM

Key Information:

Vendor: Mlflow
Status: Mlflow/mlflow
Vendor: CVE Published:; 20 March 2025

Summary

The Signup feature in specific versions of mlflow exposes users to a Cross-Site Request Forgery (CSRF) vulnerability. This flaw enables an attacker to exploit the system by creating unauthorized accounts, which can be leveraged to perform actions as if they were the victim. It is essential to address this security issue by implementing CSRF protections to safeguard user accounts and data integrity.

Affected Version(s)

mlflow/mlflow < 2.20.2

References

https://huntr.com/bounties/43dc50b6-7d1e-41b9-9f97-f28809...

https://github.com/mlflow/mlflow/commit/ecfa61cb43d330358...

CVSS V3.0

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2025
Vulnerability Reserved
Feb 19, 2025