CVE-2025-0453 – mlflow

Package

Manager: pip
Name: mlflow
Vulnerable Version: >=0 <=2.17.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00088 pctl0.26114

Details

MLflow Uncontrolled Resource Consumption vulnerability In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Metadata

Created: 2025-03-20T12:32:52Z
Modified: 2025-03-21T23:50:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-49m6-vrr9-2cqm/GHSA-49m6-vrr9-2cqm.json
CWE IDs: ["CWE-400"]
Alternative ID: GHSA-49m6-vrr9-2cqm
Finding: F067
Auto approve: 1