CVE-2025-0453
MLflow Uncontrolled Resource Consumption vulnerability
5.9
MEDIUM
CVSS 3.1
EPSS 0.32%
Description
In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.
How to fix CVE-2025-0453
To remediate CVE-2025-0453, upgrade the affected package to a fixed version below.
- —upgrade to 2.18.0 or later
- —no fix listed
Is CVE-2025-0453 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- >= 2.17.2, < 2.18.0
- from 0, <= 2.17.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |