{"id":"CVE-2025-1474","details":"In mlflow/mlflow version 2.18, an admin is able to create a new user account without setting a password. This vulnerability could lead to security risks, as accounts without passwords may be susceptible to unauthorized access. Additionally, this issue violates best practices for secure user account management. The issue is fixed in version 2.19.0.","aliases":["BIT-mlflow-2025-1474","GHSA-4rj2-9gcx-5qhx","PYSEC-2025-17"],"modified":"2026-04-12T17:59:03.611157Z","published":"2025-03-20T10:15:54.037Z","references":[{"type":"FIX","url":"https://github.com/mlflow/mlflow/commit/149c9e18aa219bc47e86b432e130e467a36f4a17"},{"type":"EVIDENCE","url":"https://huntr.com/bounties/e79f7774-10fe-46b2-b522-e73b748e3b2d"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mlflow/mlflow","events":[{"introduced":"0"},{"fixed":"ad1710112c3ff0e05f12833ea3b477a933438940"},{"fixed":"149c9e18aa219bc47e86b432e130e467a36f4a17"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.19.0"}]}}],"versions":["1.0.0","v0.2.0","v0.2.1","v0.3.0","v0.4.0","v0.4.1","v0.4.2","v0.5.0","v0.6.0","v0.7","v0.8.0","v0.8.1","v1.7.0","v2.19.0rc0","v2.2.0"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["119976202173985322142662010146675483579","111790580575330665945223063397430276476","93711223733489337305749208376308984538","336822367905009615108447329874552888163"]},"deprecated":false,"id":"CVE-2025-1474-08826480","signature_version":"v1","target":{"file":"mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java"},"source":"https://github.com/mlflow/mlflow/commit/ad1710112c3ff0e05f12833ea3b477a933438940","signature_type":"Line"},{"digest":{"threshold":0.9,"line_hashes":["318502323920898685159113264728708457060","213572139586300776098931092706225927423","238618800253856981807312229804229364110","9049207044064188207594244889128866472"]},"deprecated":false,"id":"CVE-2025-1474-233742d3","signature_version":"v1","target":{"file":"mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java"},"source":"https://github.com/mlflow/mlflow/commit/ad1710112c3ff0e05f12833ea3b477a933438940","signature_type":"Line"},{"digest":{"function_hash":"211075085918338316571174023934018655835","length":198},"deprecated":false,"id":"CVE-2025-1474-72bf4d11","signature_version":"v1","target":{"file":"mlflow/java/scoring/src/main/java/org/mlflow/sagemaker/ScoringServer.java","function":"doGet"},"source":"https://github.com/mlflow/mlflow/commit/ad1710112c3ff0e05f12833ea3b477a933438940","signature_type":"Function"},{"digest":{"function_hash":"77166690932838117269836397534454748801","length":492},"deprecated":false,"id":"CVE-2025-1474-ccf42594","signature_version":"v1","target":{"file":"mlflow/java/scoring/src/test/java/org/mlflow/ScoringServerTest.java","function":"testScoringServerWithValidPredictorRespondsToVersionCorrectly"},"source":"https://github.com/mlflow/mlflow/commit/ad1710112c3ff0e05f12833ea3b477a933438940","signature_type":"Function"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1474.json","vanir_signatures_modified":"2026-04-12T17:59:03Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N"}]}