AI Threat Alert AI Threat Alert

CVE-2020-5215: TensorFlow: type confusion DoS crashes eager mode inference

HIGH PoC AVAILABLE
Published January 28, 2020
CISO Take

Any TensorFlow deployment (1.x < 1.15.2 or 2.0.x < 2.0.1) accepting external input for inference or training is vulnerable to remote crash via a single malformed string value. Upgrade to TF 1.15.2, 2.0.1, or 2.1.0 immediately — the exploit is a one-liner with zero prerequisites. If patching is not immediate, add strict input type validation at the API/serving boundary before data reaches TensorFlow.

Risk Assessment

High risk for internet-exposed TF inference endpoints. CVSS 7.5 reflects the low attack complexity accurately — no authentication, no user interaction, network-reachable. The segfault terminates the process, meaning a single malicious request can take down a serving instance. Containerized deployments auto-restart but are still susceptible to sustained DoS. On-prem model servers without auto-recovery face extended downtime. Risk is lower for internal-only pipelines with trusted data sources, but supply chain vectors (manipulated checkpoints/saved models) extend the attack surface beyond direct API access.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade to TensorFlow 1.15.2, 2.0.1, or 2.1.0. Verify with pip show tensorflow and cross-reference against the patched commit (5ac1b9e).

  2. IMMEDIATE WORKAROUND

    Add input validation middleware that enforces dtype contracts before tensors reach TF — reject or cast inputs that are not numeric.

  3. CHECKPOINT INTEGRITY

    Validate saved model/checkpoint integrity via hash verification before loading, especially models sourced from external repositories.

  4. ISOLATION

    Run inference servers in containers with auto-restart policies to minimize downtime from crashes.

  5. DETECTION

    Monitor for abnormal process crashes or SIGSEGV signals in TF serving processes; correlate with incoming request payloads containing string values in numeric fields.

  6. GRAPH MODE FALLBACK

    If upgrading is not immediately possible and you control the serving code, forcing graph mode disables the vulnerable eager-mode path as a temporary mitigation.

Classification

DoS Supply Chain Framework Inference AML.T0010.001 AML.T0029 AML.T0040 AML.T0043.003 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.2.3 - AI risk treatment A.8.4 - AI system input controls
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain treatment of identified risks MEASURE 2.5 - AI system robustness — evaluations for trustworthy characteristics
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2020-5215?

Any TensorFlow deployment (1.x < 1.15.2 or 2.0.x < 2.0.1) accepting external input for inference or training is vulnerable to remote crash via a single malformed string value. Upgrade to TF 1.15.2, 2.0.1, or 2.1.0 immediately — the exploit is a one-liner with zero prerequisites. If patching is not immediate, add strict input type validation at the API/serving boundary before data reaches TensorFlow.

Is CVE-2020-5215 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2020-5215, increasing the risk of exploitation.

How to fix CVE-2020-5215?

1. PATCH: Upgrade to TensorFlow 1.15.2, 2.0.1, or 2.1.0. Verify with `pip show tensorflow` and cross-reference against the patched commit (5ac1b9e). 2. IMMEDIATE WORKAROUND: Add input validation middleware that enforces dtype contracts before tensors reach TF — reject or cast inputs that are not numeric. 3. CHECKPOINT INTEGRITY: Validate saved model/checkpoint integrity via hash verification before loading, especially models sourced from external repositories. 4. ISOLATION: Run inference servers in containers with auto-restart policies to minimize downtime from crashes. 5. DETECTION: Monitor for abnormal process crashes or SIGSEGV signals in TF serving processes; correlate with incoming request payloads containing string values in numeric fields. 6. GRAPH MODE FALLBACK: If upgrading is not immediately possible and you control the serving code, forcing graph mode disables the vulnerable eager-mode path as a temporary mitigation.

What systems are affected by CVE-2020-5215?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, data preprocessing pipelines.

What is the CVSS score for CVE-2020-5215?

CVE-2020-5215 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.23%.

Technical Details

NVD Description

In TensorFlow before 1.15.2 and 2.0.1, converting a string (from Python) to a tf.float16 value results in a segmentation fault in eager mode as the format checks for this use case are only in the graph mode. This issue can lead to denial of service in inference/training where a malicious attacker can send a data point which contains a string instead of a tf.float16 value. Similar effects can be obtained by manipulating saved models and checkpoints whereby replacing a scalar tf.float16 value with a scalar string will trigger this issue due to automatic conversions. This can be easily reproduced by tf.constant("hello", tf.float16), if eager execution is enabled. This issue is patched in TensorFlow 1.15.1 and 2.0.1 with this vulnerability patched. TensorFlow 2.1.0 was released after we fixed the issue, thus it is not affected. Users are encouraged to switch to TensorFlow 1.15.1, 2.0.1 or 2.1.0.

Exploitation Scenario

An adversary targeting an AI-powered API (e.g., a fraud detection or NLP preprocessing service backed by TensorFlow) identifies that the inference endpoint accepts JSON payloads with tensor data. The attacker submits a request with a string value ('hello' or any non-numeric string) in a field expected to be a float16 tensor. TensorFlow's eager execution attempts the type conversion, hits the unguarded code path, and the process segfaults. With a scripted loop, the attacker can maintain a persistent DoS against the service. Alternatively, for a more targeted supply chain attack, the adversary compromises a shared model registry or CI artifact store and replaces a scalar float16 value in a saved checkpoint with a string — every deployment that loads this checkpoint crashes on startup, causing a service outage affecting all consumers of that model artifact.

Weaknesses (CWE)

CWE-20 Primary CWE-754

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
January 28, 2020
Last Modified
November 21, 2024
First Seen
January 28, 2020

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed