CVE-2020-15203 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A remotely exploitable format string vulnerability in TensorFlow's `tf.strings.as_string` allows an attacker to crash the TF process (segfault) by controlling the `fill` argument—no authentication required. If your inference APIs accept user-supplied computation graphs or expose TF ops directly, patch to 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. Availability-only impact (no data exfiltration), but a crashed serving endpoint means model downtime.

Risk Assessment

High exploitability (AV:N/AC:L/PR:N/UI:N) but limited blast radius—pure availability impact, no confidentiality or integrity loss. Risk is concentrated in organizations exposing TensorFlow inference endpoints that accept user-controlled inputs or computation graphs. Air-gapped training infrastructure has negligible exposure. CVSS 7.5 is accurate: easy to trigger remotely, but the damage ceiling is service disruption, not data breach or code execution.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →
leap	—	—	No patch

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 58% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 (commit 33be22c65d).
VALIDATE INPUTS

Reject or sanitize fill arguments in any API surface accepting string formatting parameters before they reach TF ops.
ISOLATE

Run TF inference processes in containers with restart policies (e.g., Kubernetes liveness probes) to auto-recover from crashes.
RESTRICT

Do not expose raw TF graph execution APIs externally; use model-level abstractions (SavedModel with fixed signatures) that prevent op-level parameter injection.
DETECT

Alert on unexpected TF process terminations (SIGSEGV) in your serving infrastructure.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.9.2 - AI system security

NIST AI RMF

MANAGE 2.4 - Residual risks from AI system operation are monitored and managed

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-15203?

A remotely exploitable format string vulnerability in TensorFlow's `tf.strings.as_string` allows an attacker to crash the TF process (segfault) by controlling the `fill` argument—no authentication required. If your inference APIs accept user-supplied computation graphs or expose TF ops directly, patch to 1.15.4/2.0.3/2.1.2/2.2.1/2.3.1 immediately. Availability-only impact (no data exfiltration), but a crashed serving endpoint means model downtime.

Is CVE-2020-15203 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-15203, increasing the risk of exploitation.

How to fix CVE-2020-15203?

1. PATCH: Upgrade TensorFlow to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1 (commit 33be22c65d). 2. VALIDATE INPUTS: Reject or sanitize `fill` arguments in any API surface accepting string formatting parameters before they reach TF ops. 3. ISOLATE: Run TF inference processes in containers with restart policies (e.g., Kubernetes liveness probes) to auto-recover from crashes. 4. RESTRICT: Do not expose raw TF graph execution APIs externally; use model-level abstractions (SavedModel with fixed signatures) that prevent op-level parameter injection. 5. DETECT: Alert on unexpected TF process terminations (SIGSEGV) in your serving infrastructure.

What systems are affected by CVE-2020-15203?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, shared ML platforms.

What is the CVSS score for CVE-2020-15203?

CVE-2020-15203 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.36%.

Technical Details

NVD Description

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, by controlling the `fill` argument of tf.strings.as_string, a malicious attacker is able to trigger a format string vulnerability due to the way the internal format use in a `printf` call is constructed. This may result in segmentation fault. The issue is patched in commit 33be22c65d86256e6826666662e40dbdfe70ee83, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.

Exploitation Scenario

An adversary targeting an ML inference API sends a crafted request with a malicious `fill` value (e.g., `%n`, `%s%s%s`) to a TensorFlow serving endpoint that pipes user input into `tf.strings.as_string`. The format string reaches a `printf`-style call internally, causing a segmentation fault and crashing the serving process. In a Kubernetes deployment without proper liveness probes, this results in sustained downtime. In a shared MLOps platform, a malicious tenant crashes the shared inference worker, causing denial-of-service for all users on that node.