Base Score

HIGH7.1

CVE-2025-1473

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

VectorNETWORK

Published Bysecurity@huntr.dev

Published DateMar 20, 2025, 10:15

Affected Versions(1)

mlflow(PyPI)

Introduced2.17.0

Fixed2.20.3

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
mlflow(PyPI)	2.17.0	2.20.3	N/A

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

7.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

NONE

References

Base Score

HIGH7.1

Weakness Type (CWE):CWE-352

CVSS Metrics

Base Score

7.1

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

REQUIRED

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

LOW

Availability (A)

NONE