PT-2025-7512 · Mlflow · Mlflow
Published
2025-02-20
·
Updated
2025-08-06
·
CVE-2025-1473
CVSS v3.1
7.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
mlflow/mlflow versions 2.17.0 through 2.20.1
Description
A Cross-Site Request Forgery (CSRF) issue exists in the Signup feature. This allows an attacker to create a new account, which can be used to perform unauthorized actions on behalf of the malicious user.
Recommendations
For mlflow/mlflow versions 2.17.0 through 2.20.1, consider disabling the Signup feature until a patch is available to prevent unauthorized account creation. Restrict access to the vulnerable
Signup feature to minimize the risk of exploitation.Exploit
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mlflow