Home

Description

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

PUBLISHED Reserved 2025-01-13 | Published 2025-03-20 | Updated 2025-10-15 | Assigner @huntr_ai




MEDIUM: 5.9CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-410 Insufficient Resource Pool

Product status

Any version
affected

References

huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b exploit

huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b

cve.org (CVE-2025-0453)

nvd.nist.gov (CVE-2025-0453)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.