HIGH🇵🇱 Wersja polska

CVE-2025-0453

CVSS 7.5v3.1pub. 2025-03-20upd. 2025-10-15

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Lfprojects Mlflow

    APP
    Lfprojects
    2.17.2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
DoS
CWE
References

Related vulnerabilities

CVE-2026-2651CRITICAL9.0PL ✓ten sam produkt

MLflow: nieautoryzowany dostęp do endpointów multipart upload (RCE)

CVE-2026-2611CRITICAL9.6PL ✓ten sam produkt

MLflow: nieprawidłowa walidacja origin umożliwia RCE przez cross-origin request

CVE-2026-0545CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia w endpointach FastAPI jobs w MLflow (Auth Bypass / RCE)

CVE-2025-15036CRITICAL10.0PL ✓ten sam produkt

Path traversal w MLflow — nadpisanie plików i eskalacja uprawnień

CVE-2025-15379CRITICAL9.8PL ✓ten sam produkt

Command injection w MLflow podczas inicjalizacji kontenera modelu