Insufficient Resource Pool

CVE-2025-0453

High

7.5/10

Summary

In mlflow/mlflow, the `/graphql` endpoint is vulnerable to a Denial of Service (DOS) attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption. This issue affects mlflow versions prior to 3.1.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-410 - Insufficient Resource Pool

The software's resource pool is not large enough to handle peak demand, which allows an attacker to prevent others from accessing the resource by using a (relatively) large number of requests for resources.

References

Advisory
Disclosure
Issue
Pull request

Advisory Timeline

Published Mar 20, 2025

Insufficient Resource Pool

CVE-2025-0453

Summary

CWE-410 - Insufficient Resource Pool

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS