CVE-2025-1474: Weak Password Requirements in mlflow/mlflow

3.8 CVSS

Description

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

Classification

CVE ID: CVE-2025-1474

CVSS Base Severity: LOW

CVSS Base Score: 3.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

Problem Types

CWE-521 Weak Password Requirements

Affected Products

Vendor: mlflow

Product: mlflow/mlflow

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 9.54% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1474
https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d
https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17

Timeline

2025-03-20 11:40:53 UTC
CVE

Weak Password Requirements in mlflow/mlflow