CVE-2025-0453 identifies a denial of service (DoS) vulnerability in the MLflow open-source platform, specifically version 2.17.2, which is widely used for managing the machine learning lifecycle. The vulnerability exists in the /graphql endpoint, where an attacker can submit large batches of GraphQL queries that request all runs associated with a particular experiment. This behavior causes excessive consumption of worker threads or processes allocated by MLflow to handle incoming requests. Because MLflow does not sufficiently limit or control resource allocation for these queries, the workers become fully occupied processing the attacker's requests, effectively preventing legitimate users from receiving responses. This results in a denial of service condition, impacting the availability of the MLflow service. The root cause is classified under CWE-410 (Insufficient Resource Pool), indicating that the system fails to properly manage resource pools to prevent exhaustion. The attack can be executed remotely over the network without authentication or user interaction, but requires crafting complex query batches, which raises the attack complexity. No known exploits have been reported in the wild, and no official patches or fixes have been released at the time of this report. The CVSS v3.0 base score is 5.9, reflecting a medium severity level, with the vector indicating network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high availability impact.

For European organizations leveraging MLflow in their AI/ML workflows, this vulnerability poses a significant risk to service availability. Disruption of MLflow services can halt machine learning experiment tracking, model versioning, and deployment pipelines, potentially delaying critical AI-driven business processes. Industries such as finance, healthcare, automotive, and manufacturing, which increasingly rely on ML models for decision-making and automation, could face operational downtime and productivity loss. Additionally, organizations with MLflow exposed to the internet or accessible by multiple users are at higher risk of remote exploitation. Although the vulnerability does not compromise data confidentiality or integrity, the denial of service could indirectly affect business continuity and service level agreements. The absence of known exploits reduces immediate risk, but the medium severity and ease of remote access warrant proactive mitigation to prevent potential attacks.

To mitigate this vulnerability, organizations should implement strict rate limiting on the /graphql endpoint to restrict the number of queries per user or IP address within a given timeframe. Deploying resource quotas or limits on worker threads/processes dedicated to handling GraphQL queries can prevent resource exhaustion. Monitoring and anomaly detection systems should be configured to identify unusual query patterns or spikes in requests targeting experiment runs. If possible, restrict access to the MLflow service to trusted internal networks or VPNs to reduce exposure. Employ Web Application Firewalls (WAFs) with custom rules to block or throttle suspicious GraphQL query payloads. Organizations should also track updates from the MLflow project for patches or security advisories addressing this issue and plan timely application of fixes once available. Finally, consider segmenting MLflow infrastructure to isolate critical components and minimize the blast radius of potential DoS attacks.