AI Threat Alert

CVE-2020-15197: TensorFlow: DoS via malformed sparse tensor input

MEDIUM PoC AVAILABLE
Published September 25, 2020
CISO Take

A missing rank validation in TensorFlow's SparseCountSparseOutput operation allows low-privileged network attackers to crash TF serving instances by sending malformed sparse tensors. If your ML inference infrastructure exposes TensorFlow endpoints to untrusted users, patch to 2.3.1 immediately. Add API-boundary input shape validation as a secondary control until patching is complete.

What is the risk?

Medium risk in practice despite a 6.3 CVSS. High attack complexity and low-privilege requirement reduce exploitability, but model serving endpoints that accept raw tensor inputs from users are directly exposed. The Changed scope (S:C) signals cross-component blast radius—one malformed request can crash a shared inference server affecting all tenants. No confidentiality or integrity impact; purely an availability threat. Not in CISA KEV and no public PoC weaponization reported, but the GitHub advisory includes exploit details.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 5d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
6.3 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 49% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR Low
UI None
S Changed
C None
I None
A High

What should I do?

5 steps

  1. Patch: upgrade TensorFlow to >= 2.3.1 (fix in commit 3cbb917).

  2. If immediate patching is blocked, enforce API-layer validation rejecting sparse tensors with non-rank-2 indices before they reach TF ops.

  3. Scope exposure: audit which inference endpoints accept sparse tensor inputs from untrusted users and restrict accordingly.

  4. Deploy rate limiting on inference endpoints to break crash-restart abuse loops.

  5. Detection: monitor TF serving logs and process supervisor events for CHECK assertion failures or unexpected restarts as an IOC signal.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0043 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.9.4 - AI system operation and monitoring
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain AI operation
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2020-15197?

A missing rank validation in TensorFlow's SparseCountSparseOutput operation allows low-privileged network attackers to crash TF serving instances by sending malformed sparse tensors. If your ML inference infrastructure exposes TensorFlow endpoints to untrusted users, patch to 2.3.1 immediately. Add API-boundary input shape validation as a secondary control until patching is complete.

Is CVE-2020-15197 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15197, increasing the risk of exploitation.

How to fix CVE-2020-15197?

1. Patch: upgrade TensorFlow to >= 2.3.1 (fix in commit 3cbb917). 2. If immediate patching is blocked, enforce API-layer validation rejecting sparse tensors with non-rank-2 indices before they reach TF ops. 3. Scope exposure: audit which inference endpoints accept sparse tensor inputs from untrusted users and restrict accordingly. 4. Deploy rate limiting on inference endpoints to break crash-restart abuse loops. 5. Detection: monitor TF serving logs and process supervisor events for CHECK assertion failures or unexpected restarts as an IOC signal.

What systems are affected by CVE-2020-15197?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines.

What is the CVSS score for CVE-2020-15197?

CVE-2020-15197 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.72%.

What is the AI security impact?

Affected AI Architectures

model servinginference endpointstraining pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0043 Craft Adversarial Data
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.9.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

In Tensorflow before version 2.3.1, the `SparseCountSparseOutput` implementation does not validate that the input arguments form a valid sparse tensor. In particular, there is no validation that the `indices` tensor has rank 2. This tensor must be a matrix because code assumes its elements are accessed as elements of a matrix. However, malicious users can pass in tensors of different rank, resulting in a `CHECK` assertion failure and a crash. This can be used to cause denial of service in serving installations, if users are allowed to control the components of the input sparse tensor. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

Exploitation Scenario

An authenticated user with minimal privileges submits an inference request to a TensorFlow serving endpoint that processes SparseCountSparseOutput. The attacker crafts a sparse tensor with a rank-1 or rank-3 indices tensor instead of the required rank-2 matrix. TensorFlow dereferences indices as a matrix, hits a CHECK assertion failure, and the serving process crashes. In containerized deployments with auto-restart, the attacker scripts repeated requests to sustain a denial of service, preventing any inference requests from completing. The attack requires knowledge of TensorFlow's sparse tensor API but no ML expertise.

Weaknesses (CWE)

CWE-20 Improper Input Validation CWE-617 Reachable Assertion

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed