CVE-2025-1473

High CVSS: 7.1

A Cross-Site Request Forgery (CSRF) vulnerability exists in the Signup feature of mlflow/mlflow versions 2.17.0 to 2.20.1. This vulnerability allows an attacker to create a new account, which may be used to perform unauthorized actions on behalf of the malicious user.

Vendor

Lfprojects

Product

Mlflow

CWE

CWE-352

Yayın Tarihi

2025-03-20 10:15:53

Güncelleme

2025-08-05 17:05:22

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-352 Mlflow HIGH Lfprojects 2025

Referanslar

https://github.com/mlflow/mlflow/commit/ecfa61cb43d3303589f3b5834fd95991c9706628 https://huntr.com/bounties/43dc50b6-7d1e-41b9-9f97-f28809df1d45

Benzer Kayıtlar

High

CVE-2026-34742

The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does no…

Medium

CVE-2026-34237

MCP Java SDK is the official Java SDK for Model Context Protocol servers and clients. Prior to versions 1.0.1 and 1.1.1,…

High

CVE-2026-33946

MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby S…

Critical

CVE-2025-15031

A vulnerability in MLflow's pyfunc extraction process allows for arbitrary file writes due to improper handling of tar a…

Medium

CVE-2026-29791

Agentgateway is an open source data plane for agentic AI connectivity within or across any agent framework or environmen…

High

CVE-2026-29064

Zarf is an Airgap Native Packager Manager for Kubernetes. From version 0.54.0 to before version 0.73.1, a path traversal…