Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-0453

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Published

2025-03-20T10:15:53.017

Last Modified

2025-04-02T16:10:48.930

Status

Analyzed

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-400
Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lfprojects	mlflow	2.17.2	Yes

References

https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b Exploit, Third Party Advisory ([email protected])
https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b Exploit, Third Party Advisory (134c704f-9b21-4f2e-91b3-4a467353bcc0)