CVE-2025-0453
Published: 20 March 2025
Summary
CVE-2025-0453 is a high-severity Insufficient Resource Pool (CWE-410) vulnerability in Lfprojects Mlflow. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked in the top 44.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly protects against denial-of-service attacks by limiting effects of resource exhaustion from large GraphQL query batches that tie up MLflow workers.
Remediates the specific flaw in MLflow 2.17.2's /graphql endpoint causing uncontrolled resource consumption from excessive experiment run queries.
Protects resource availability by enforcing allocation controls like query limits and worker pool quotas to prevent exhaustion by repeated large requests.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE enables denial of service via large GraphQL query batches that exhaust MLflow application workers through uncontrolled resource consumption, mapping to Application Exhaustion Flood.
NVD Description
In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated…
more
by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.
Deeper analysisAI
CVE-2025-0453 is a denial-of-service vulnerability in mlflow/mlflow version 2.17.2, specifically affecting the `/graphql` endpoint. The issue stems from uncontrolled resource consumption (CWE-410), where an attacker can send large batches of queries that repeatedly request all runs from a given experiment. This exhausts all workers allocated by MLflow, preventing the application from responding to other requests.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), meaning it is exploitable over the network with low attack complexity, requiring no privileges or user interaction, and results in high availability impact with no effects on confidentiality or integrity. Remote, unauthenticated attackers can trigger the DoS condition, rendering the MLflow service unresponsive.
Mitigation details are available in advisories referenced at https://huntr.com/bounties/788327ec-714a-4d5c-83aa-8df04dd7612b. The vulnerability was published on 2025-03-20.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Other ATLAS/OWASP Terms
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- MLflow is an open-source platform for managing the ML lifecycle, including experiment tracking and deployment, fitting 'Other Platforms'. The vulnerability affects its GraphQL endpoint for querying ML runs.