CVE-2025-1474 — MEDIUM (5.5)

Q: How severe is CVE-2025-1474?

CVE-2025-1474 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-1474?

Check the references section above for vendor advisories and patch information. Affected products include: Lfprojects Mlflow.

Vulnerability Description

In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Lfprojects	Mlflow	< 2.19.0

Related Weaknesses (CWE)

CWE-521

References

https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17Patch
https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2dExploitThird Party Advisory

FAQ

What is CVE-2025-1474?

CVE-2025-1474 is a vulnerability with a CVSS score of 5.5 (MEDIUM). In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptib...

How severe is CVE-2025-1474?

CVE-2025-1474 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-1474?

Check the references section above for vendor advisories and patch information. Affected products include: Lfprojects Mlflow.