Denial of Service Vulnerability in MLflow by Databricks
CVE-2025-0453
7.5HIGH
What is CVE-2025-0453?
In MLflow version 2.17.2, the application contains a vulnerability at the /graphql endpoint that permits an attacker to execute a denial of service attack. By sending large batches of queries that continuously request all runs from a specified experiment, the attacker can monopolize all allocated workers within MLflow. This excessive consumption of resources prevents the application from responding to other legitimate user requests, thereby compromising its availability. Addressing this vulnerability is crucial to maintain optimal performance and security for MLflow users.
Affected Version(s)
mlflow/mlflow <= unspecified
References
CVSS V3.1
Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
CVSS V3.0
Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved