CVE-2020-15201 — MEDIUM (CVSS 4.8) AI Security Vulnerability

Q: Is CVE-2020-15201 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15201, increasing the risk of exploitation.

Q: How to fix CVE-2020-15201?

1. Patch: Upgrade TensorFlow to 2.3.1 or later — patch is in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02. 2. Validate inputs: Add server-side validation that splits tensors form valid ragged partitions before invoking RaggedCountSparseOutput; reject any request where splits[-1] < num_values. 3. Network segmentation: TensorFlow Serving gRPC/REST endpoints should never be directly internet-exposed; place behind an API gateway that validates tensor shapes and types. 4. Detection: Monitor for malformed tensor shape errors or unexpected crashes in TF Serving logs; anomalous spike in op-level errors on sparse/ragged ops may indicate probing. 5. Runtime hardening: Run inference containers with restricted memory access (seccomp, read-only rootfs) to limit blast radius of memory corruption.

Q: What systems are affected by CVE-2020-15201?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, data preprocessing pipelines.

Q: What is the CVSS score for CVE-2020-15201?

CVE-2020-15201 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.19%.

CISO Take

A heap buffer overflow in TensorFlow's RaggedCountSparseOutput operation allows network-accessible exploitation with no authentication required, though high attack complexity limits immediate risk. Any TensorFlow deployment exposing inference endpoints that process ragged/sparse tensor inputs should patch to 2.3.1+ immediately. No active exploitation reported, but the no-auth network vector is unacceptable for production AI serving infrastructure.

Risk Assessment

Medium risk overall, but context-dependent severity for AI serving deployments. CVSS 4.8 reflects high attack complexity (AC:H), which requires crafting malformed ragged tensor inputs with precisely invalid splits partitioning. The network vector (AV:N) with no privileges (PR:N) and no user interaction (UI:N) is the primary risk amplifier — any internet-exposed TensorFlow Serving or gRPC inference endpoint accepting raw tensor inputs is a legitimate attack surface. No CISA KEV listing and 2020 publication date suggest no widespread active exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

4.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 41% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC High

PR None

UI None

S Unchanged

C Low

I Low

A None

Recommended Action

5 steps

Patch: Upgrade TensorFlow to 2.3.1 or later — patch is in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02.
Validate inputs: Add server-side validation that splits tensors form valid ragged partitions before invoking RaggedCountSparseOutput; reject any request where splits[-1] < num_values.
Network segmentation: TensorFlow Serving gRPC/REST endpoints should never be directly internet-exposed; place behind an API gateway that validates tensor shapes and types.
Detection: Monitor for malformed tensor shape errors or unexpected crashes in TF Serving logs; anomalous spike in op-level errors on sparse/ragged ops may indicate probing.
Runtime hardening: Run inference containers with restricted memory access (seccomp, read-only rootfs) to limit blast radius of memory corruption.

Classification

Code Execution Data Extraction Framework Inference AML.T0010.001 - AI Software AML.T0024 - Exfiltration via AI Inference API AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system risk management 9.1 - Monitoring, measurement, analysis and evaluation

NIST AI RMF

GOVERN-4.1 - Organizational teams are committed to transparency MANAGE-2.2 - Mechanisms to sustain management of AI risks

OWASP LLM Top 10

LLM09 - Overreliance (misnomer here — maps to insecure plugin/dependency)

Frequently Asked Questions

What is CVE-2020-15201?

A heap buffer overflow in TensorFlow's RaggedCountSparseOutput operation allows network-accessible exploitation with no authentication required, though high attack complexity limits immediate risk. Any TensorFlow deployment exposing inference endpoints that process ragged/sparse tensor inputs should patch to 2.3.1+ immediately. No active exploitation reported, but the no-auth network vector is unacceptable for production AI serving infrastructure.

Is CVE-2020-15201 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15201, increasing the risk of exploitation.

How to fix CVE-2020-15201?

1. Patch: Upgrade TensorFlow to 2.3.1 or later — patch is in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02. 2. Validate inputs: Add server-side validation that splits tensors form valid ragged partitions before invoking RaggedCountSparseOutput; reject any request where splits[-1] < num_values. 3. Network segmentation: TensorFlow Serving gRPC/REST endpoints should never be directly internet-exposed; place behind an API gateway that validates tensor shapes and types. 4. Detection: Monitor for malformed tensor shape errors or unexpected crashes in TF Serving logs; anomalous spike in op-level errors on sparse/ragged ops may indicate probing. 5. Runtime hardening: Run inference containers with restricted memory access (seccomp, read-only rootfs) to limit blast radius of memory corruption.

What systems are affected by CVE-2020-15201?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, data preprocessing pipelines.

What is the CVSS score for CVE-2020-15201?

CVE-2020-15201 has a CVSS v3.1 base score of 4.8 (MEDIUM). The EPSS exploitation probability is 0.19%.

Technical Details

NVD Description

In Tensorflow before version 2.3.1, the `RaggedCountSparseOutput` implementation does not validate that the input arguments form a valid ragged tensor. In particular, there is no validation that the values in the `splits` tensor generate a valid partitioning of the `values` tensor. Hence, the code is prone to heap buffer overflow. If `split_values` does not end with a value at least `num_values` then the `while` loop condition will trigger a read outside of the bounds of `split_values` once `batch_idx` grows too large. The issue is patched in commit 3cbb917b4714766030b28eba9fb41bb97ce9ee02 and is released in TensorFlow version 2.3.1.

Exploitation Scenario

An adversary targeting an organization running TensorFlow 2.x inference services constructs a malicious prediction request containing a ragged tensor where the splits array does not correctly partition the values array — specifically, the final split value is less than the total number of values. When TensorFlow processes this input through RaggedCountSparseOutput, the while loop increments batch_idx beyond the bounds of split_values, triggering a heap buffer over-read. In a model serving context (e.g., TF Serving gRPC endpoint processing NLP inputs or sparse feature vectors), this could leak adjacent heap memory contents — potentially exposing cached inference results, model weight fragments, or internal runtime metadata. An attacker could iterate over multiple crafted payloads to incrementally reconstruct sensitive in-memory data.