CVE-2025-0453

Exploit

EPSS 0.11%
Veröffentlicht 20.03.2025 10:11:02
Zuletzt bearbeitet 15.10.2025 13:16:00
Quelle security@huntr.dev
CVE-Watchlists
Login
Unerledigt
Login

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Lfprojects ≫ Mlflow Version2.17.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.11%	0.293

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security@huntr.dev	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-410 Insufficient Resource Pool

The product's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-0453

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-0453

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-0453

EUVD