GHSA-49m6-vrr9-2cqm

Опубликовано: 20 мар. 2025

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

MLflow Uncontrolled Resource Consumption vulnerability

In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

Ссылки

Пакеты

Наименование

mlflow

pip

Затронутые версииВерсия исправления

<= 2.17.2

Отсутствует

EPSS

Процентиль: 34%

0.00136

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2025-0453

Дефекты

CWE-400

CWE-410

Связанные уязвимости

CVE-2025-0453

CVSS3: 7.5

nvd

11 месяцев назад

In mlflow/mlflow version 2.17.2, the `/graphql` endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.

EPSS

Процентиль: 34%

0.00136

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2025-0453

Дефекты

CWE-400

CWE-410