Low severityNVD Advisory· Published Mar 20, 2025· Updated Mar 20, 2025
Weak Password Requirements in mlflow/mlflow
CVE-2025-1474
Description
In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | < 2.19.0 | 2.19.0 |
Affected products
3- osv-coords2 versions
< 2.19.0+ 1 more
- (no CPE)range: < 2.19.0
- (no CPE)range: < 2.19.0
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-4rj2-9gcx-5qhxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1474ghsaADVISORY
- github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/mlflow/PYSEC-2025-17.yamlghsaWEB
- huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2dghsaWEB
News mentions
0No linked articles in our index yet.