AI Threat Alert
CVE-2020-15206: TensorFlow: SavedModel protobuf DoS in inference serving
HIGH PoC AVAILABLEIf your org runs tensorflow-serving or any inference-as-a-service stack built on TensorFlow pre-2.3.1, an unauthenticated attacker who can supply a crafted SavedModel can crash your inference service with zero privileges required. Patch to TF 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1+ immediately and audit any externally-reachable model upload endpoints. Legacy MLOps pipelines that pin old TF versions are the highest-risk surface here.
What is the risk?
CVSS 7.5 with AV:N/AC:L/PR:N/UI:N makes this trivially weaponizable from the network with no authentication. The blast radius is limited to availability (no confidentiality or integrity impact per CVSS), but for production AI inference infrastructure, DoS equates to direct revenue and operational impact. Not in CISA KEV and no confirmed active exploitation as of 2025, so residual risk is moderate for patched environments. However, organizations with pinned legacy TF versions in MLOps pipelines or air-gapped inference servers that lag patch cycles remain exposed.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| TensorFlow | pip | — | No patch |
| leap | — | — | No patch |
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch: Upgrade TensorFlow to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1+. Verify with
pip show tensorflow. -
Model validation: Implement cryptographic signing and signature verification for SavedModel artifacts in your model registry before loading. Reject unsigned or untrusted models.
-
Access control: Restrict who can push models to your serving infrastructure — enforce model registry RBAC.
-
Isolation: Run tensorflow-serving in containers with restart policies and resource limits to contain impact of crashes.
-
Detection: Alert on abnormal tensorflow-serving process restarts or segfault signals in system logs.
-
Network: If tf-serving is internet-facing, place it behind an authenticated API gateway — this vulnerability requires no auth at the TF level.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2020-15206?
If your org runs tensorflow-serving or any inference-as-a-service stack built on TensorFlow pre-2.3.1, an unauthenticated attacker who can supply a crafted SavedModel can crash your inference service with zero privileges required. Patch to TF 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1+ immediately and audit any externally-reachable model upload endpoints. Legacy MLOps pipelines that pin old TF versions are the highest-risk surface here.
Is CVE-2020-15206 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2020-15206, increasing the risk of exploitation.
How to fix CVE-2020-15206?
1. Patch: Upgrade TensorFlow to 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1+. Verify with `pip show tensorflow`. 2. Model validation: Implement cryptographic signing and signature verification for SavedModel artifacts in your model registry before loading. Reject unsigned or untrusted models. 3. Access control: Restrict who can push models to your serving infrastructure — enforce model registry RBAC. 4. Isolation: Run tensorflow-serving in containers with restart policies and resource limits to contain impact of crashes. 5. Detection: Alert on abnormal tensorflow-serving process restarts or segfault signals in system logs. 6. Network: If tf-serving is internet-facing, place it behind an authenticated API gateway — this vulnerability requires no auth at the TF level.
What systems are affected by CVE-2020-15206?
This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, ML model registries, training pipelines.
What is the CVSS score for CVE-2020-15206?
CVE-2020-15206 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.94%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011.000 Unsafe AI Artifacts AML.T0029 Denial of AI Service AML.T0049 Exploit Public-Facing Application AML.T0076 Corrupt AI Model Compliance Controls Affected
What are the technical details?
Original Advisory
In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, changing the TensorFlow's `SavedModel` protocol buffer and altering the name of required keys results in segfaults and data corruption while loading the model. This can cause a denial of service in products using `tensorflow-serving` or other inference-as-a-service installments. Fixed were added in commits f760f88b4267d981e13f4b302c437ae800445968 and fcfef195637c6e365577829c4d67681695956e7d (both going into TensorFlow 2.2.0 and 2.3.0 but not yet backported to earlier versions). However, this was not enough, as #41097 reports a different failure mode. The issue is patched in commit adf095206f25471e864a8e63a0f1caef53a0e3a6, and is released in TensorFlow versions 1.15.4, 2.0.3, 2.1.2, 2.2.1, or 2.3.1.
Exploitation Scenario
An attacker with access to a model registry (compromised CI/CD credential, insider, or misconfigured public bucket) crafts a TensorFlow SavedModel with deliberately malformed protobuf keys — removing or renaming required fields. The malicious model is pushed to the production model registry and picked up by tensorflow-serving during a scheduled model refresh or hot-reload. On load, TF dereferences a null or corrupt pointer from the malformed protobuf, triggering a segfault that crashes the serving process. In a kubernetes environment without proper restart policies, this takes the inference endpoint offline; with restart policies, the attacker can trigger repeated crashes to sustain denial of service. No network authentication, no ML expertise — just knowledge of the SavedModel protobuf schema.
Weaknesses (CWE)
CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
- [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
- [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
- lists.opensuse.org/opensuse-security-announce/2020-10/msg00065.html Mailing List 3rd Party
- github.com/tensorflow/tensorflow/commit/adf095206f25471e864a8e63a0f1caef53a0e3a6 Patch 3rd Party Vendor
- github.com/tensorflow/tensorflow/releases/tag/v2.3.1 3rd Party
- github.com/tensorflow/tensorflow/security/advisories/GHSA-w5gh-2wr2-pm6g Exploit 3rd Party
Timeline
Related Vulnerabilities
CVE-2020-15196 9.9 TensorFlow: heap OOB read in sparse/ragged count ops
Same package: tensorflow CVE-2020-15205 9.8 TensorFlow: heap overflow in StringNGrams, ASLR bypass
Same package: tensorflow CVE-2019-16778 9.8 TensorFlow: heap overflow in UnsortedSegmentSum op
Same package: tensorflow CVE-2020-15208 9.8 TFLite: OOB read/write via tensor dimension mismatch
Same package: tensorflow CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same package: tensorflow