AI Threat Alert
Published March 20, 2025
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| mlflow | pip | < 2.19.0 | 2.19.0 |
| mlflow | pip | — | No patch |
Severity & Risk
CVSS 3.1
5.5 / 10
EPSS
0.1%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A
Recommended Action
Patch available
Update mlflow to version 2.19.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N References
- github.com/advisories/GHSA-4rj2-9gcx-5qhx
- github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17
- github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2025-17.yaml
- huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d
- nvd.nist.gov/vuln/detail/CVE-2025-1474
- github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17 Patch
- huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d Exploit 3rd Party
Timeline
Published
March 20, 2025
Last Modified
April 9, 2025
First Seen
March 20, 2025