Miggo Logo
Miggo Vulnerability Database
CVE-2025-0453

CVE-2025-0453: MLflow Uncontrolled Resource Consumption vulnerability

5.9

CVSS Score
3.0

Basic Information

CVE ID
CVE-2025-0453
GHSA ID
GHSA-49m6-vrr9-2cqm
EPSS Score
0.2616%
CWE
CWE-400
Published
3/20/2025
Updated
3/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mlflowpip

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the /graphql endpoint's handling of experiment run queries. GraphQL resolvers like resolve_runs would be responsible for fetching experiment runs. The advisory indicates attackers exploit this by repeatedly requesting all runs, which implies the resolver lacks safeguards like query cost analysis, maximum result limits, or rate-limiting. This matches the CWE-400 pattern where resource consumption isn't controlled. The handler file is the logical location for GraphQL resolver implementations in MLflow's architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In ml*low/ml*low v*rsion *.**.*, t** `/*r*p*ql` *n*point is vuln*r**l* to * **ni*l o* s*rvi** *tt**k. *n *tt**k*r **n *r**t* l*r** **t***s o* qu*ri*s t**t r*p**t**ly r*qu*st *ll runs *rom * *iv*n *xp*rim*nt. T*is **n ti* up *ll t** work*rs *llo**t**

Reasoning

T** vuln*r**ility st*ms *rom t** /*r*p*ql *n*point's **n*lin* o* *xp*rim*nt run qu*ri*s. *r*p*QL r*solv*rs lik* r*solv*_runs woul* ** r*sponsi*l* *or **t**in* *xp*rim*nt runs. T** **visory in*i**t*s *tt**k*rs *xploit t*is *y r*p**t**ly r*qu*stin* *ll