CVE-2025-1473

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-1473
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1473.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-1473
Aliases
Published
2025-03-20T10:15:53.903Z
Modified
2026-03-09T23:50:39.871905Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N CVSS Calculator
Summary
[none]
Details

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

References

Affected packages

Git / github.com/mlflow/mlflow

Affected ranges

Type
GIT
Repo
https://github.com/mlflow/mlflow
Events
Introduced
2cddebcf613a8f383ffdec721d4bcefc603bd556
Fixed
cb69262fe58a0689056f68f4368d1b7704296c5c
Fixed
ecfa61cb43d3303589f3b5834fd95991c9706628
Database specific 
{
    "versions": [
        {
            "introduced": "2.17.0"
        },
        {
            "fixed": "2.20.1"
        }
    ]
}

Database specific

vanir_signatures 
[
    {
        "source": "https://github.com/mlflow/mlflow/commit/cb69262fe58a0689056f68f4368d1b7704296c5c",
        "signature_type": "Line",
        "target": {
            "file": "mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "337790989433725412038630751075056464335",
                "249170095474537496017572805809341887872",
                "265617740387335315124281718573196279907",
                "248520135169040194161556615045875925829"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-1473-08972991",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/mlflow/mlflow/commit/cb69262fe58a0689056f68f4368d1b7704296c5c",
        "signature_type": "Line",
        "target": {
            "file": "mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java"
        },
        "deprecated": false,
        "digest": {
            "line_hashes": [
                "269405291552122194346538507471132020444",
                "205342522101935226192695116558528053284",
                "251669814725538675598117859072449257571",
                "67712642428662465909585702026871474399"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2025-1473-37000409",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/mlflow/mlflow/commit/cb69262fe58a0689056f68f4368d1b7704296c5c",
        "signature_type": "Function",
        "target": {
            "file": "mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java",
            "function": "doGet"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "162733977311982238867207374626216451371",
            "length": 189.0
        },
        "id": "CVE-2025-1473-4af8f3cc",
        "signature_version": "v1"
    },
    {
        "source": "https://github.com/mlflow/mlflow/commit/cb69262fe58a0689056f68f4368d1b7704296c5c",
        "signature_type": "Function",
        "target": {
            "file": "mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java",
            "function": "testScoringServerWithValidPredictorRespondsToVersionCorrectly"
        },
        "deprecated": false,
        "digest": {
            "function_hash": "6287921176302245627998445760826141095",
            "length": 483.0
        },
        "id": "CVE-2025-1473-c4c4ffe7",
        "signature_version": "v1"
    }
]
source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-1473.json"