CVE-2025-1474
Improper Authentication vulnerability in mlflow
What is CVE-2025-1474 About?
This vulnerability in mlflow/mlflow version 2.18 allows an administrator to create new user accounts without setting a password. This oversight leads to unauthenticated accounts, making them vulnerable to unauthorized access and violating secure user management practices. Exploitation is straightforward, requiring administrative privileges to create the account.
Affected Software
- mlflow
- <2.19.0
- <149c9e18aa219bc47e86b432e130e467a36f4a17
Technical Details
In mlflow/mlflow version 2.18, the user account creation process, when initiated by an administrator, permits the creation of new user accounts without enforcing the setting of a password. This means that an account can exist within the system with a null or empty password, effectively making it accessible to anyone who attempts to log in with that username or otherwise bypasses basic authentication checks. This bypass of standard password security measures allows for unauthorized access to the created account, undermining the integrity of user management and potentially leading to broader system compromise.
What is the Impact of CVE-2025-1474?
Successful exploitation may allow attackers to gain unauthorized access to user accounts, compromise data associated with those accounts, or escalate privileges within the system, leading to data breaches or system control.
What is the Exploitability of CVE-2025-1474?
Exploitation of this vulnerability is of low complexity. It requires an attacker to possess administrative privileges to create a new user account. Once an account without a password is created, no further authentication is needed to log into that specific account. The vulnerability is local to the administrative interface or API used for user creation, but the impact of an unauthenticated account can be remote. A primary risk factor is the presence of an administrator capable of creating such accounts, inadvertently or maliciously, and the availability of unauthenticated accounts for remote login attempts.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-1474?
Available Upgrade Options
- mlflow
- <2.19.0 → Upgrade to 2.19.0
- mlflow
- <149c9e18aa219bc47e86b432e130e467a36f4a17 → Upgrade to 149c9e18aa219bc47e86b432e130e467a36f4a17
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2025-17.yaml
- https://osv.dev/vulnerability/GHSA-4rj2-9gcx-5qhx
- https://github.com/mlflow/mlflow
- https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17
- https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d
- https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17
- https://nvd.nist.gov/vuln/detail/CVE-2025-1474
- https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17
- https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d
- https://osv.dev/vulnerability/PYSEC-2025-17
What are Similar Vulnerabilities to CVE-2025-1474?
Similar Vulnerabilities: CVE-2023-45802 , CVE-2022-24784 , CVE-2021-39226 , CVE-2020-13777 , CVE-2019-14002
