CVE-2025-0453

Exploit

EPSS 0.09%
Published 20.03.2025 10:11:02
Last modified 02.04.2025 16:10:48
Source security@huntr.dev
Teams watchlist Login
Open Login

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Data is provided by the National Vulnerability Database (NVD)

Lfprojects ≫ Mlflow Version2.17.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.09%	0.26

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security@huntr.dev	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-0453

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-0453

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-0453

EUVD