AI Threat Alert

CVE-2020-15203: TensorFlow: format string DoS in strings.as_string

HIGH PoC AVAILABLE
Published September 25, 2020
CISO Take

A remotely exploitable format string vulnerability in TensorFlow's `tf.strings.as_string` allows an attacker to crash the TF process (segfault) by controlling the `fill` argument—no authentication required. If your inference APIs accept user-supplied computation graphs or expose TF ops directly, patch to 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. Availability-only impact (no data exfiltration), but a crashed serving endpoint means model downtime.

What is the risk?

High exploitability (AV:N/AC:L/PR:N/UI:N) but limited blast radius—pure availability impact, no confidentiality or integrity loss. Risk is concentrated in organizations exposing TensorFlow inference endpoints that accept user-controlled inputs or computation graphs. Air-gapped training infrastructure has negligible exposure. CVSS 7.5 is accurate: easy to trigger remotely, but the damage ceiling is service disruption, not data breach or code execution.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →
leap No patch

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
1.0%
chance of exploitation in 30 days
Higher than 57% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. PATCH

    Upgrade TensorFlow to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 (commit 33be22c65d).

  2. VALIDATE INPUTS

    Reject or sanitize fill arguments in any API surface accepting string formatting parameters before they reach TF ops.

  3. ISOLATE

    Run TF inference processes in containers with restart policies (e.g., Kubernetes liveness probes) to auto-recover from crashes.

  4. RESTRICT

    Do not expose raw TF graph execution APIs externally; use model-level abstractions (SavedModel with fixed signatures) that prevent op-level parameter injection.

  5. DETECT

    Alert on unexpected TF process terminations (SIGSEGV) in your serving infrastructure.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk management system
ISO 42001
A.9.2 - AI system security
NIST AI RMF
MANAGE 2.4 - Residual risks from AI system operation are monitored and managed
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15203?

A remotely exploitable format string vulnerability in TensorFlow's `tf.strings.as_string` allows an attacker to crash the TF process (segfault) by controlling the `fill` argument—no authentication required. If your inference APIs accept user-supplied computation graphs or expose TF ops directly, patch to 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. Availability-only impact (no data exfiltration), but a crashed serving endpoint means model downtime.

Is CVE-2020-15203 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15203, increasing the risk of exploitation.

How to fix CVE-2020-15203?

1. PATCH: Upgrade TensorFlow to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 (commit 33be22c65d). 2. VALIDATE INPUTS: Reject or sanitize `fill` arguments in any API surface accepting string formatting parameters before they reach TF ops. 3. ISOLATE: Run TF inference processes in containers with restart policies (e.g., Kubernetes liveness probes) to auto-recover from crashes. 4. RESTRICT: Do not expose raw TF graph execution APIs externally; use model-level abstractions (SavedModel with fixed signatures) that prevent op-level parameter injection. 5. DETECT: Alert on unexpected TF process terminations (SIGSEGV) in your serving infrastructure.

What systems are affected by CVE-2020-15203?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, shared ML platforms.

What is the CVSS score for CVE-2020-15203?

CVE-2020-15203 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.95%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelinesshared ML platforms

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.9.2
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary targeting an ML inference API sends a crafted request with a malicious `fill` value (e.g., `%n`, `%s%s%s`) to a TensorFlow serving endpoint that pipes user input into `tf.strings.as_string`. The format string reaches a `printf`-style call internally, causing a segmentation fault and crashing the serving process. In a Kubernetes deployment without proper liveness probes, this results in sustained downtime. In a shared MLOps platform, a malicious tenant crashes the shared inference worker, causing denial-of-service for all users on that node.

Weaknesses (CWE)

CWE-134 Use of Externally-Controlled Format String Primary CWE-20 Improper Input Validation

CWE-134 — Use of Externally-Controlled Format String: The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

  • [Requirements] Choose a language that is not subject to this flaw.
  • [Implementation] Ensure that all format string functions are passed a static string which cannot be controlled by the user, and that the proper number of arguments are always sent to that function as well. If at all possible, use functions that do not support the %n operator in format strings. [REF-116] [REF-117]

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
September 25, 2020
Last Modified
November 21, 2024
First Seen
September 25, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed