CVE-2020-15199 — MEDIUM (CVSS 5.9) AI Security Vulnerability

CISO Take

TensorFlow deployments below 2.3.1 accepting user-supplied tensor data are vulnerable to remote crash via a crafted ragged tensor — no authentication required. Patch to TF 2.3.1+ immediately; if patching is delayed, add input validation at the API boundary to reject splits tensors with fewer than 2 elements. Availability impact only: no data exposure, but a crashed inference server stops production pipelines cold.

Risk Assessment

Effective risk is moderate-to-low despite the network attack vector. High attack complexity (AC:H) requires the adversary to understand TensorFlow's ragged tensor format and specifically target RaggedCountSparseOutput — this is not spray-and-pray. The CVE is from 2020, unpatched instances are increasingly rare, and it is absent from CISA KEV. The primary business risk materializes in exposed model-serving endpoints where inference availability is operationally critical (e.g., real-time fraud detection, content moderation at scale). On-prem or air-gapped training environments with no external input path carry negligible risk.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.9 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 47% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: upgrade to TensorFlow 2.3.1 or later (commit 3cbb917b applies the fix).
Workaround if patching is blocked: add input validation middleware at the model serving layer to assert len(splits) >= 2 before forwarding requests to the TF runtime.
Network controls: restrict public access to TF Serving ports; place an authenticated API gateway in front of inference endpoints to reduce unauthenticated attack surface.
Detection: monitor serving process restart rates and SIGABRT/segfault logs as anomaly signals; alert on unusually short-lived inference processes.
Verify exposure: grep your codebase and pipeline configs for RaggedCountSparseOutput usage to confirm affected code paths.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.2.6 - AI system input validation and robustness

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems MAP-5.1 - Likelihood and magnitude of harms evaluated

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2020-15199?

TensorFlow deployments below 2.3.1 accepting user-supplied tensor data are vulnerable to remote crash via a crafted ragged tensor — no authentication required. Patch to TF 2.3.1+ immediately; if patching is delayed, add input validation at the API boundary to reject splits tensors with fewer than 2 elements. Availability impact only: no data exposure, but a crashed inference server stops production pipelines cold.

Is CVE-2020-15199 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15199, increasing the risk of exploitation.

How to fix CVE-2020-15199?

1. Patch: upgrade to TensorFlow 2.3.1 or later (commit 3cbb917b applies the fix). 2. Workaround if patching is blocked: add input validation middleware at the model serving layer to assert len(splits) >= 2 before forwarding requests to the TF runtime. 3. Network controls: restrict public access to TF Serving ports; place an authenticated API gateway in front of inference endpoints to reduce unauthenticated attack surface. 4. Detection: monitor serving process restart rates and SIGABRT/segfault logs as anomaly signals; alert on unusually short-lived inference processes. 5. Verify exposure: grep your codebase and pipeline configs for RaggedCountSparseOutput usage to confirm affected code paths.

What systems are affected by CVE-2020-15199?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference.

What is the CVSS score for CVE-2020-15199?

CVE-2020-15199 has a CVSS v3.1 base score of 5.9 (MEDIUM). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the `splits` tensor has the minimum required number of elements. Code uses this quantity to initialize a different data structure. Since `BatchedMap` is equivalent to a vector, it needs to have at least one element to not be `nullptr`. If user passes a `splits` tensor that is empty or has exactly one element, we get a `SIGABRT` signal raised by the operating system. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

Exploitation Scenario

An adversary identifies a public-facing model API (e.g., a text classification or recommendation endpoint) backed by TensorFlow <2.3.1. They craft a minimal gRPC or REST request to the model that includes a RaggedTensor with an empty splits component (e.g., splits=[]). When TensorFlow processes this through RaggedCountSparseOutput during inference, the BatchedMap initialization dereferences a null pointer and the OS sends SIGABRT, crashing the process. The adversary automates this with a single-line script, cycling requests to keep the serving pod in a crash loop, causing sustained inference unavailability without authentication or elevated privileges.