AI Threat Alert

CVE-2020-5215: TensorFlow: type confusion DoS crashes eager mode inference

HIGH PoC AVAILABLE
Published January 28, 2020
CISO Take

Any TensorFlow deployment (1.x < 1.15.2 or 2.0.x < 2.0.1) accepting external input for inference or training is vulnerable to remote crash via a single malformed string value. Upgrade to TF 1.15.2, 2.0.1, or 2.1.0 immediately — the exploit is a one-liner with zero prerequisites. If patching is not immediate, add strict input type validation at the API/serving boundary before data reaches TensorFlow.

What is the risk?

High risk for internet-exposed TF inference endpoints. CVSS 7.5 reflects the low attack complexity accurately — no authentication, no user interaction, network-reachable. The segfault terminates the process, meaning a single malicious request can take down a serving instance. Containerized deployments auto-restart but are still susceptible to sustained DoS. On-prem model servers without auto-recovery face extended downtime. Risk is lower for internal-only pipelines with trusted data sources, but supply chain vectors (manipulated checkpoints/saved models) extend the attack surface beyond direct API access.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. PATCH

    Upgrade to TensorFlow 1.15.2, 2.0.1, or 2.1.0. Verify with pip show tensorflow and cross-reference against the patched commit (5ac1b9e).

  2. IMMEDIATE WORKAROUND

    Add input validation middleware that enforces dtype contracts before tensors reach TF — reject or cast inputs that are not numeric.

  3. CHECKPOINT INTEGRITY

    Validate saved model/checkpoint integrity via hash verification before loading, especially models sourced from external repositories.

  4. ISOLATION

    Run inference servers in containers with auto-restart policies to minimize downtime from crashes.

  5. DETECTION

    Monitor for abnormal process crashes or SIGSEGV signals in TF serving processes; correlate with incoming request payloads containing string values in numeric fields.

  6. GRAPH MODE FALLBACK

    If upgrading is not immediately possible and you control the serving code, forcing graph mode disables the vulnerable eager-mode path as a temporary mitigation.

How is it classified?

DoS Supply Chain Framework Inference AML.T0010.001 AML.T0029 AML.T0040 AML.T0043.003 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.3 - AI risk treatment A.8.4 - AI system input controls
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain treatment of identified risks MEASURE 2.5 - AI system robustness — evaluations for trustworthy characteristics
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-5215?

Any TensorFlow deployment (1.x < 1.15.2 or 2.0.x < 2.0.1) accepting external input for inference or training is vulnerable to remote crash via a single malformed string value. Upgrade to TF 1.15.2, 2.0.1, or 2.1.0 immediately — the exploit is a one-liner with zero prerequisites. If patching is not immediate, add strict input type validation at the API/serving boundary before data reaches TensorFlow.

Is CVE-2020-5215 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-5215, increasing the risk of exploitation.

How to fix CVE-2020-5215?

1. PATCH: Upgrade to TensorFlow 1.15.2, 2.0.1, or 2.1.0. Verify with `pip show tensorflow` and cross-reference against the patched commit (5ac1b9e). 2. IMMEDIATE WORKAROUND: Add input validation middleware that enforces dtype contracts before tensors reach TF — reject or cast inputs that are not numeric. 3. CHECKPOINT INTEGRITY: Validate saved model/checkpoint integrity via hash verification before loading, especially models sourced from external repositories. 4. ISOLATION: Run inference servers in containers with auto-restart policies to minimize downtime from crashes. 5. DETECTION: Monitor for abnormal process crashes or SIGSEGV signals in TF serving processes; correlate with incoming request payloads containing string values in numeric fields. 6. GRAPH MODE FALLBACK: If upgrading is not immediately possible and you control the serving code, forcing graph mode disables the vulnerable eager-mode path as a temporary mitigation.

What systems are affected by CVE-2020-5215?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, data preprocessing pipelines.

What is the CVSS score for CVE-2020-5215?

CVE-2020-5215 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.58%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference APIsdata preprocessing pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0040 AI Model Inference API Access
AML.T0043.003 Manual Modification
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.2.3, A.8.4
NIST AI RMF: MANAGE 2.2, MEASURE 2.5
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant("hello", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0.

Exploitation Scenario

An adversary targeting an AI-powered API (e.g., a fraud detection or NLP preprocessing service backed by TensorFlow) identifies that the inference endpoint accepts JSON payloads with tensor data. The attacker submits a request with a string value ('hello' or any non-numeric string) in a field expected to be a float16 tensor. TensorFlow's eager execution attempts the type conversion, hits the unguarded code path, and the process segfaults. With a scripted loop, the attacker can maintain a persistent DoS against the service. Alternatively, for a more targeted supply chain attack, the adversary compromises a shared model registry or CI artifact store and replaces a scalar float16 value in a saved checkpoint with a string — every deployment that loads this checkpoint crashes on startup, causing a service outage affecting all consumers of that model artifact.

Weaknesses (CWE)

CWE-20 Improper Input Validation Primary CWE-754 Improper Check for Unusual or Exceptional Conditions

CWE-20 — Improper Input Validation: The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

  • [Architecture and Design] Consider using language-theoretic security (LangSec) techniques that characterize inputs using a formal language and build "recognizers" for that language. This effectively requires parsing to be a distinct layer that effectively enforces a boundary between raw input and internal data representations, instead of allowing parser code to be scattered throughout the program, where it could be subject to errors or inconsistencies that create weaknesses. [REF-1109] [REF-1110] [REF-1111]
  • [Architecture and Design] Use an input validation framework such as Struts or the OWASP ESAPI Validation API. Note that using a framework does not automatically address all input validation problems; be mindful of weaknesses that could arise from misusing the framework itself (CWE-1173).

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
January 28, 2020
Last Modified
November 21, 2024
First Seen
January 28, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed