Denial of Service through Batched Queries in GraphQL in mlflow/mlflow
Description
In mlflow/mlflow version 2.17.2, the /graphql endpoint is vulnerable to a denial of service attack. An attacker can create large batches of queries that repeatedly request all runs from a given experiment. This can tie up all the workers allocated by MLFlow, rendering the application unable to respond to other requests. This vulnerability is due to uncontrolled resource consumption.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Uncontrolled resource consumption in mlflow's /graphql endpoint allows denial of service via large batch queries.
Root
Cause
The /graphql endpoint in mlflow version 2.17.2 suffers from uncontrolled resource consumption. An attacker can submit large batches of GraphQL queries that repeatedly request all runs from a given experiment, tying up all available workers and preventing the application from handling other requests [1].
Exploitation
An attacker can exploit this vulnerability by crafting multiple GraphQL queries that each fetch all runs from an experiment. No specific authentication or network position is required beyond access to the endpoint. The attack consists of sending many such queries in parallel, overwhelming the worker pool [1].
Impact
Successful exploitation results in a denial of service condition. The MLflow application becomes unresponsive to legitimate traffic, disrupting AI/ML operations that depend on the service [1].
Mitigation
As of the publication date of this CVE, no official patch has been released. Users are advised to monitor the official mlflow repository for updates and consider applying rate limiting or other resource controls to the /graphql endpoint [2][3].
- NVD - CVE-2025-0453
- GitHub - mlflow/mlflow: The open source AI engineering platform for agents, LLMs, and ML models. MLflow enables teams of all sizes to debug, evaluate, monitor, and optimize production-quality AI applications while controlling costs and managing access to models and data.
- The world’s first bug bounty platform for AI/ML
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
mlflowPyPI | <= 2.17.2 | — |
Affected products
4- osv-coords2 versions
>= 2.17.2, < 2.18.0+ 1 more
- (no CPE)range: >= 2.17.2, < 2.18.0
- (no CPE)range: <= 2.17.2
- mlflow/mlflow/mlflowv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.