cbcvebase.
CVE-2025-1473
published 2025-03-20

CVE-2025-1473: A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an…

PriorityP432high7.1CVSS 3.1
AVNACLPRNUIRSUCHILAN
EPSS
0.20%
10.2th percentile
A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

Affected

3 ranges
VendorProductVersion rangeFixed in
lfprojectsmlflow>= 2.17.0 < 2.20.12.20.1
lfprojectsmlflow>= 2.17.0 < 2.20.32.20.3
mlflowmlflow_mlflow>= unspecified < 2.20.22.20.2

CVSS provenance

nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
nvdv3.05.4MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.