CVE-2020-15195 — HIGH (CVSS 8.8) AI Security Vulnerability

CISO Take

Any TensorFlow deployment below versions 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 that processes sparse tensors—whether in training or serving—is vulnerable to heap buffer overflow exploitable by a low-privileged network attacker. Patch immediately; no workaround neutralizes the underlying memory corruption. Audit your ML infrastructure inventory now—unpatched TF instances represent a known, multi-year exposure with public exploit details.

Risk Assessment

High risk for organizations running TensorFlow Serving APIs accessible to authenticated-but-untrusted users, or operating multi-tenant ML training platforms. CVSS 8.8 with network vector and low privilege requirement makes this broadly exploitable without user interaction. Although published in 2020, organizations with unmanaged ML dependency sprawl or containerized training infrastructure running pinned-old TF versions remain exposed. No KEV listing but public PoC exists via GitHub advisory.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

Severity & Risk

CVSS 3.1

8.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 58% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 across all environments (dev, staging, prod).
AUDIT

Run dependency scan across containerized ML workloads—pinned base images frequently carry stale TF versions.
NETWORK ISOLATION

Restrict TensorFlow Serving endpoints to internal network segments; eliminate public-facing inference APIs where not business-critical.
INPUT VALIDATION

Enforce server-side bounds checking on sparse tensor indices before forwarding to TF ops.
MONITOR

Alert on anomalous ML worker crashes or OOM events—heap corruption precedes successful exploitation with observable signals.

Classification

Code Execution Supply Chain Framework Inference Training Data AML.T0010.001 - AI Software AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Risk response mechanisms for AI systems

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15195?

Any TensorFlow deployment below versions 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 that processes sparse tensors—whether in training or serving—is vulnerable to heap buffer overflow exploitable by a low-privileged network attacker. Patch immediately; no workaround neutralizes the underlying memory corruption. Audit your ML infrastructure inventory now—unpatched TF instances represent a known, multi-year exposure with public exploit details.

Is CVE-2020-15195 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15195, increasing the risk of exploitation.

How to fix CVE-2020-15195?

1. PATCH: Upgrade to TensorFlow 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 across all environments (dev, staging, prod). 2. AUDIT: Run dependency scan across containerized ML workloads—pinned base images frequently carry stale TF versions. 3. NETWORK ISOLATION: Restrict TensorFlow Serving endpoints to internal network segments; eliminate public-facing inference APIs where not business-critical. 4. INPUT VALIDATION: Enforce server-side bounds checking on sparse tensor indices before forwarding to TF ops. 5. MONITOR: Alert on anomalous ML worker crashes or OOM events—heap corruption precedes successful exploitation with observable signals.

What systems are affected by CVE-2020-15195?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, recommendation system pipelines, multi-tenant ML platforms, NLP sparse embedding pipelines.

What is the CVSS score for CVE-2020-15195?

CVE-2020-15195 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.36%.

Technical Details

NVD Description

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of `SparseFillEmptyRowsGrad` uses a double indexing pattern. It is possible for `reverse_index_map(i)` to be an index outside of bounds of `grad_values`, thus resulting in a heap buffer overflow. The issue is patched in commit 390611e0d45c5793c7066110af37c8514e6a6c54, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary with valid credentials to a TensorFlow Serving gRPC/REST endpoint submits a crafted predict request containing a sparse tensor where reverse_index_map holds out-of-bounds indices relative to grad_values. During backward-pass computation in SparseFillEmptyRowsGrad, TensorFlow dereferences these indices beyond heap-allocated buffer boundaries. The resulting heap corruption can be weaponized to achieve arbitrary code execution on the serving node—enabling the attacker to exfiltrate proprietary model weights, inject backdoored model artifacts into the serving pipeline, or pivot to internal training infrastructure connected to the same network segment.