Home > Vulnerability Database > CVE-2025-1474

Mend.io Vulnerability Database

CVE-2025-1474

Good to know:

Date: March 20, 2025

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

Severity Score

5.5

Related Resources (6)

Url: https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d

Url: https://github.com/mlflow/mlflow

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-1474

Url: https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17

Url: https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2025-17.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2025-1474

Severity Score

5.5

Weakness Type (CWE)

Weak Password Requirements

CWE-521

Top Fix

Upgrade Version

Upgrade to version mlflow - 2.19.0;mlflow - 2.19.0;mlflow - 2.19.0;https://github.com/mlflow/mlflow.git - v2.19.0

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-1474

Good to know:

Date: March 20, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?