MEDIUM 5.9

GHSA-49m6-vrr9-2cqm

MLflow Uncontrolled Resource Consumption vulnerability

Details

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / mlflow

Introduced in: 0

No fixed version published yet for mlflow (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-0453 [ADVISORY]
https://github.com/mlflow/mlflow [PACKAGE]
https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b [WEB]