AI Threat Alert
Published March 20, 2025
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| mlflow | pip | >= 2.17.0, < 2.20.3 | 2.20.3 |
| mlflow | pip | — | No patch |
Severity & Risk
CVSS 3.1
7.1 / 10
EPSS
0.1%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A
Recommended Action
Patch available
Update mlflow to version 2.20.3
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N References
- github.com/advisories/GHSA-969w-gqqr-g6j3
- github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628
- huntr.com/bounties/43dc50b6-7d1e-41b9-9f97-f28809df1d45
- nvd.nist.gov/vuln/detail/CVE-2025-1473
- github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628 Patch
- huntr.com/bounties/43dc50b6-7d1e-41b9-9f97-f28809df1d45 Exploit 3rd Party
Timeline
Published
March 20, 2025
Last Modified
August 5, 2025
First Seen
March 20, 2025