CVE-2025-0453

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-0453
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0453.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-0453
Aliases
Published
2025-03-20T10:11:02.779Z
Modified
2026-05-28T04:10:20.505608344Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service through Batched Queries in GraphQL in mlflow/mlflow
Details

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/0xxx/CVE-2025-0453.json",
    "cwe_ids": [
        "CWE-410"
    ],
    "cna_assigner": "@huntr_ai"
}
References

Affected packages

Git / github.com/mlflow/mlflow

Affected ranges

Type
GIT
Repo
https://github.com/mlflow/mlflow
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
67b8870f5375e208e791e97d8ee6816d2618c4b4
Database specific 
{
    "cpe": "cpe:2.3:a:lfprojects:mlflow:2.17.2:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.17.2"
        }
    ],
    "source": "CPE_STRING"
}

Affected versions

1.*
1.0.0
v0.*
v0.2.0
v0.2.1
v0.3.0
v0.4.0
v0.4.1
v0.4.2
v0.5.0
v0.6.0
v0.7
v0.8.0
v0.8.1
v1.*
v1.7.0
v2.*
v2.17.0
v2.17.0rc0
v2.17.1
v2.17.2
v2.2.0

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-0453.json"