CVE-2025-0453

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-0453

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0453.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-0453

Aliases

Published

2025-03-20T10:15:53Z

Modified

2025-04-03T10:11:57.364562Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

References

https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b

Affected packages

Git / github.com/mlflow/mlflow

Affected ranges

Type: GIT
Repo: https://github.com/mlflow/mlflow
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

67b8870f5375e208e791e97d8ee6816d2618c4b4

Affected versions

1.*

1.0.0

v0.*

v0.2.0

v0.2.1

v0.3.0

v0.4.0

v0.4.1

v0.4.2

v0.5.0

v0.6.0

v0.7

v0.8.0

v0.8.1

v1.*

v1.7.0

v2.*

v2.17.0

v2.17.0rc0

v2.17.1

v2.17.2

v2.2.0