What is the severity of CVE-2025-0453?

CVE-2025-0453 has a high severity due to its potential for a denial of service attack.

How do I fix CVE-2025-0453?

To fix CVE-2025-0453, upgrade to a patched version of MLflow that addresses this vulnerability.

What systems are affected by CVE-2025-0453?

CVE-2025-0453 affects MLflow version 2.17.2 and potentially earlier versions.

What attack vector does CVE-2025-0453 utilize?

CVE-2025-0453 allows attackers to exploit the `/graphql` endpoint by submitting large batches of queries.

What impact does CVE-2025-0453 have on MLflow?

CVE-2025-0453 can tie up all workers within MLflow, leading to service unavailability.

Vulnerability/
CVE-2025-0453

high

7.5

CWE

400

20/3/2025

2/4/2025

CVE-2025-0453: Denial of Service through Batched Queries in GraphQL in mlflow/mlflow

First published: Thu Mar 20 2025(Updated: )

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Credit: security@huntr.dev

Affected Software	Affected Version	How to fix
MLflow
pip/mlflow	<=2.17.2
MLflow	=2.17.2

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-0453?
CVE-2025-0453 has a high severity due to its potential for a denial of service attack.
How do I fix CVE-2025-0453?
To fix CVE-2025-0453, upgrade to a patched version of MLflow that addresses this vulnerability.
What systems are affected by CVE-2025-0453?
CVE-2025-0453 affects MLflow version 2.17.2 and potentially earlier versions.
What attack vector does CVE-2025-0453 utilize?
CVE-2025-0453 allows attackers to exploit the `/graphql` endpoint by submitting large batches of queries.
What impact does CVE-2025-0453 have on MLflow?
CVE-2025-0453 can tie up all workers within MLflow, leading to service unavailability.

agent/title
agent/weakness
agent/description
agent/type
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/author
agent/severity
collector/github-advisory-latest
source/GitHub
alias/GHSA-49m6-vrr9-2cqm
alias/CVE-2025-0453
agent/source
agent/references
agent/last-modified-date
agent/softwarecombine
agent/event
collector/nvd-cve
source/NVD
collector/mitre-cve
source/MITRE
collector/github-advisory
agent/tags
collector/nvd-api
vendor/mlflow
canonical/mlflow
package-manager/pip
vendor/lfprojects
version/mlflow/2.17.2

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.