cvedb.io
CVE-2025-0453
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-03-20T10:15:53.017 · Last modified 2026-06-17T08:26:30.630

Summary

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Affected products

lfprojects — mlflow

Does this affect you?

Add your gear to cvedb and we'll alert you only when lfprojects ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.