Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-1473

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

Published

2025-03-20T10:15:53.903

Last Modified

2025-08-05T17:05:22.780

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.1 (HIGH)

Weaknesses

Type: Primary
CWE-352

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lfprojects	mlflow	< 2.20.1	Yes

References

https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628 Patch ([email protected])
https://huntr.com/bounties/43dc50b6-7d1e-41b9-9f97-f28809df1d45 Exploit, Third Party Advisory ([email protected])