CVE-2021-41213 — MEDIUM (CVSS 5.5) AI Security Vulnerability

CISO Take

If your MLOps pipelines or serving infrastructure loads TensorFlow models from external or untrusted sources, a crafted model with mutually recursive tf.function decorators can deadlock the Python process. Patch to TF 2.7.0/2.6.1/2.5.2/2.4.4 and enforce model provenance controls. This is not actively exploited in the wild, but the untrusted-model loading vector is realistic in open model sharing workflows.

Risk Assessment

Medium risk overall but contextually elevated for teams consuming public or third-party TensorFlow SavedModels. The local attack vector and required user interaction keep CVSS at 5.5, but in MLOps pipelines where models are pulled from registries or marketplaces the 'user interaction' step is automated—effectively reducing the barrier. No privileges required by the attacker. Availability impact is high (full DoS of the loading process). Not in KEV; no known exploitation in the wild.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

5.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 13% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR None

UI Required

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (patches commit afac8158).
Enforce model provenance: only load SavedModels from internal, signed, or hash-verified sources.
Run model loading in sandboxed subprocesses with watchdog timeouts so a deadlock is detected and killed rather than hanging the main service.
Audit model registries and CI pipelines for any externally sourced TF models loaded without integrity verification.
Add liveness/timeout checks in model loading code paths.

Classification

DoS Supply Chain Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0058 - Publish Poisoned Models

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI system operational monitoring and performance

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2021-41213?

If your MLOps pipelines or serving infrastructure loads TensorFlow models from external or untrusted sources, a crafted model with mutually recursive tf.function decorators can deadlock the Python process. Patch to TF 2.7.0/2.6.1/2.5.2/2.4.4 and enforce model provenance controls. This is not actively exploited in the wild, but the untrusted-model loading vector is realistic in open model sharing workflows.

Is CVE-2021-41213 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2021-41213, increasing the risk of exploitation.

How to fix CVE-2021-41213?

1. Upgrade TensorFlow to 2.7.0, 2.6.1, 2.5.2, or 2.4.4 (patches commit afac8158). 2. Enforce model provenance: only load SavedModels from internal, signed, or hash-verified sources. 3. Run model loading in sandboxed subprocesses with watchdog timeouts so a deadlock is detected and killed rather than hanging the main service. 4. Audit model registries and CI pipelines for any externally sourced TF models loaded without integrity verification. 5. Add liveness/timeout checks in model loading code paths.

What systems are affected by CVE-2021-41213?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference, model registries.

What is the CVSS score for CVE-2021-41213?

CVE-2021-41213 has a CVSS v3.1 base score of 5.5 (MEDIUM). The EPSS exploitation probability is 0.04%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. In affected versions the code behind `tf.function` API can be made to deadlock when two `tf.function` decorated Python functions are mutually recursive. This occurs due to using a non-reentrant `Lock` Python object. Loading any model which contains mutually recursive functions is vulnerable. An attacker can cause denial of service by causing users to load such models and calling a recursive `tf.function`, although this is not a frequent scenario. The fix will be included in TensorFlow 2.7.0. We will also cherrypick this commit on TensorFlow 2.6.1, TensorFlow 2.5.2, and TensorFlow 2.4.4, as these are also affected and still in supported range.

Exploitation Scenario

An adversary publishes a TensorFlow SavedModel on Hugging Face or a public model registry, advertising it as a fine-tuned classification model. The model contains two mutually recursive tf.function-decorated Python functions embedded in its serving signatures. When a victim's MLOps pipeline pulls and loads the model for evaluation or deployment, the non-reentrant Lock inside tf.function is acquired twice in the same thread—causing a permanent deadlock. The model serving process hangs, taking down the inference endpoint. In automated pipelines without timeout guards, this can silently block production deployments or training jobs.