Cyber Resilience

CVE-2025-0453

HighPublic PoC

Published: 20 March 2025

Published
20 March 2025
Modified
15 October 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0032 55.9th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0453 is a high-severity Insufficient Resource Pool (CWE-410) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 44.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-0453 is a denial-of-service vulnerability in mlflow/mlflow version 2.17.2, specifically affecting the `/graphql` endpoint. The issue stems from uncontrolled resource consumption (CWE-410), where an attacker can send large batches of queries that repeatedly request all runs from a given experiment. This exhausts all workers allocated by MLflow, preventing the application from responding to other requests.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), meaning it is exploitable over the network with low attack complexity, requiring no privileges or user interaction, and results in high availability impact with no effects on confidentiality or integrity. Remote, unauthenticated attackers can trigger the DoS condition, rendering the MLflow service unresponsive.

Mitigation details are available in advisories referenced at https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b. The vulnerability was published on 2025-03-20.

EU & UK References

Vulnerability details

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated…

more

by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mlflow

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

The CVE enables denial of service via large GraphQL query batches that exhaust MLflow application workers through uncontrolled resource consumption, mapping to Application Exhaustion Flood.

CVEs Like This One

CVE-2024-8859Same product: Lfprojects Mlflow
CVE-2025-1473Same product: Lfprojects Mlflow
CVE-2025-14287Same product: Lfprojects Mlflow
CVE-2026-0596Same product: Lfprojects Mlflow
CVE-2026-2652Same product: Lfprojects Mlflow
CVE-2025-15031Same product: Lfprojects Mlflow
CVE-2026-4035Same product: Lfprojects Mlflow
CVE-2026-0545Same product: Lfprojects Mlflow
CVE-2025-11200Same product: Lfprojects Mlflow
CVE-2025-11201Same product: Lfprojects Mlflow

Affected Assets

lfprojects
mlflow
2.17.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Directly protects against denial-of-service attacks by limiting effects of resource exhaustion from large GraphQL query batches that tie up MLflow workers.

prevent

Remediates the specific flaw in MLflow 2.17.2's /graphql endpoint causing uncontrolled resource consumption from excessive experiment run queries.

prevent

Protects resource availability by enforcing allocation controls like query limits and worker pool quotas to prevent exhaustion by repeated large requests.

References