CVE-2022-23563 — MEDIUM (CVSS 6.3) AI Security Vulnerability

CISO Take

TensorFlow's use of mktemp() creates a race condition where a local attacker can hijack temp file paths between name generation and actual creation. In shared ML infrastructure — GPU clusters, multi-user Jupyter servers, HPC environments — a low-privilege user can redirect TensorFlow's temp writes to sensitive targets or extract training data. Patch immediately via pip upgrade; this is a one-command fix with no workaround otherwise.

Risk Assessment

CVSS 6.3 Medium, but the real risk is context-dependent. Attack complexity is High (race condition timing), which limits opportunistic exploitation, but automated race condition tooling exists and reduces the bar. The local attack vector narrows exposure, yet shared ML training infrastructure is the norm in enterprise AI teams, where multiple users share the same filesystem. C:H/I:H impact means successful exploitation yields full read/write access to whatever data TensorFlow writes to temp storage — model checkpoints, data batches, serialized tensors. Not in CISA KEV, no public exploitation evidence; treat as medium-urgency patching.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

6.3 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 3% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Local

AC High

PR Low

UI None

S Unchanged

C High

I High

A None

Recommended Action

6 steps

Upgrade TensorFlow immediately: pip install --upgrade tensorflow — patches replace mktemp with mkstemp/mkdtemp across affected code paths.
Verify the patched commits are included in your installed version (check TF security advisory GHSA-wc4g-r73w-x8mm).
Harden shared ML infrastructure: isolate training jobs in containers or separate Linux user namespaces to eliminate same-filesystem coexistence with untrusted users.
Apply least-privilege: training service accounts should not share /tmp with interactive user sessions.
Short-term workaround if patching is delayed: set TMPDIR to a directory with restricted permissions (chmod 700) owned by the training user, eliminating race window for other users.
Detection: monitor /tmp with inotifywait for symlink creation events timed with TensorFlow training job activity.

Classification

Supply Chain Data Leakage Code Execution Framework Training Data AML.T0010.001 - AI Software AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security in AI system development

NIST AI RMF

MANAGE 2.2 - Mechanisms for tracking identified AI risks over time are in place

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-23563?

TensorFlow's use of mktemp() creates a race condition where a local attacker can hijack temp file paths between name generation and actual creation. In shared ML infrastructure — GPU clusters, multi-user Jupyter servers, HPC environments — a low-privilege user can redirect TensorFlow's temp writes to sensitive targets or extract training data. Patch immediately via pip upgrade; this is a one-command fix with no workaround otherwise.

Is CVE-2022-23563 actively exploited?

No confirmed active exploitation of CVE-2022-23563 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-23563?

1. Upgrade TensorFlow immediately: pip install --upgrade tensorflow — patches replace mktemp with mkstemp/mkdtemp across affected code paths. 2. Verify the patched commits are included in your installed version (check TF security advisory GHSA-wc4g-r73w-x8mm). 3. Harden shared ML infrastructure: isolate training jobs in containers or separate Linux user namespaces to eliminate same-filesystem coexistence with untrusted users. 4. Apply least-privilege: training service accounts should not share /tmp with interactive user sessions. 5. Short-term workaround if patching is delayed: set TMPDIR to a directory with restricted permissions (chmod 700) owned by the training user, eliminating race window for other users. 6. Detection: monitor /tmp with inotifywait for symlink creation events timed with TensorFlow training job activity.

What systems are affected by CVE-2022-23563?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments, shared ML infrastructure.

What is the CVSS score for CVE-2022-23563?

CVE-2022-23563 has a CVSS v3.1 base score of 6.3 (MEDIUM). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. In multiple places, TensorFlow uses `tempfile.mktemp` to create temporary files. While this is acceptable in testing, in utilities and libraries it is dangerous as a different process can create the file between the check for the filename in `mktemp` and the actual creation of the file by a subsequent operation (a TOC/TOU type of weakness). In several instances, TensorFlow was supposed to actually create a temporary directory instead of a file. This logic bug is hidden away by the `mktemp` function usage. We have patched the issue in several commits, replacing `mktemp` with the safer `mkstemp`/`mkdtemp` functions, according to the usage pattern. Users are advised to upgrade as soon as possible.

Exploitation Scenario

Attacker has low-privilege shell access to a shared GPU training server (common in university labs, HPC clusters, enterprise data science teams). They run a background watcher monitoring /tmp for filenames matching TensorFlow's temp naming patterns using inotify. A privileged ML pipeline job calls mktemp(), which returns a filename but does not yet create it. In the microsecond window before TensorFlow's next operation, the attacker creates a symlink at that exact path pointing to a sensitive target — for example, a cron file, a model registry path, or a world-readable location. TensorFlow proceeds unaware, writing training data or checkpoint content to the attacker's target. In the mkdtemp-should-have-been-used case, TensorFlow creates a file instead of a directory, causing crashes that mask the underlying manipulation. Net result: training data exfiltration or integrity compromise of model artifacts, depending on attacker objective.