CVE-2025-1473: CSRF in mlflow/mlflow

5.4 CVSS

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

Classification

CVE ID: CVE-2025-1473

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem Types

CWE-352 Cross-Site Request Forgery (CSRF)

Affected Products

Vendor: mlflow

Product: mlflow/mlflow

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 1.51% (scored less or equal to compared to others)

EPSS Date: 2025-04-14 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1473
https://huntr.com/bounties/43dc50b6-7d1e-41b9-9f97-f28809df1d45
https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628

Timeline

2025-03-20 11:40:53 UTC
CVE

CSRF in mlflow/mlflow