AI Threat Alert

CVE-2022-23571: TensorFlow: protobuf assertion DoS via invalid tensor dtype

MEDIUM
Published February 4, 2022
CISO Take

Any authenticated user can crash TensorFlow model serving by sending a protobuf payload with an invalid tensor dtype and zero elements, triggering a fatal CHECK assertion failure. Exploitation is trivial—no AI/ML expertise required—and causes full availability loss for inference endpoints until the process is restarted. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately; add input validation upstream of any TF serving endpoint that accepts external protobuf.

What is the risk?

Medium overall, but operationally significant for teams running TensorFlow inference APIs. The attack requires only low privileges—any authenticated API consumer can trigger it—and complexity is low, making it a plausible insider threat or abuse-of-access scenario. The blast radius is availability-only (no data loss, no code execution), but a crashed inference service can cascade into SLA failures, automated system degradation, or masking of other attacks. AI/ML serving infrastructure is often under-monitored for process crashes, increasing dwell time before detection.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 36% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I None
A High

What should I do?

6 steps

  1. PATCH

    Upgrade TensorFlow to 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (cherry-picked fix commit 5b491cd).

  2. VALIDATE

    Add server-side dtype and shape validation before passing tensors to TF ops—reject any tensor with dtype outside the expected enum range or element count mismatching the declared shape.

  3. ISOLATE

    Run TF serving processes in containers with automatic restart policies (e.g., Kubernetes restartPolicy: Always) to minimize availability impact.

  4. RATE-LIMIT: Enforce per-client request throttling on inference endpoints to prevent sustained crash loops.

  5. DETECT

    Alert on repeated TF process crashes or assertion failure strings in logs (grep for 'Check failed' in TF stderr).

  6. AUDIT

    Identify all internal and external callers who can submit raw protobuf payloads to TF serving endpoints.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0029 AML.T0034 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.7.3 - AI System Operation
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2022-23571?

Any authenticated user can crash TensorFlow model serving by sending a protobuf payload with an invalid tensor dtype and zero elements, triggering a fatal CHECK assertion failure. Exploitation is trivial—no AI/ML expertise required—and causes full availability loss for inference endpoints until the process is restarted. Patch to TF 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately; add input validation upstream of any TF serving endpoint that accepts external protobuf.

Is CVE-2022-23571 actively exploited?

No confirmed active exploitation of CVE-2022-23571 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-23571?

1. PATCH: Upgrade TensorFlow to 2.8.0, 2.7.1, 2.6.3, or 2.5.3 (cherry-picked fix commit 5b491cd). 2. VALIDATE: Add server-side dtype and shape validation before passing tensors to TF ops—reject any tensor with dtype outside the expected enum range or element count mismatching the declared shape. 3. ISOLATE: Run TF serving processes in containers with automatic restart policies (e.g., Kubernetes restartPolicy: Always) to minimize availability impact. 4. RATE-LIMIT: Enforce per-client request throttling on inference endpoints to prevent sustained crash loops. 5. DETECT: Alert on repeated TF process crashes or assertion failure strings in logs (grep for 'Check failed' in TF stderr). 6. AUDIT: Identify all internal and external callers who can submit raw protobuf payloads to TF serving endpoints.

What systems are affected by CVE-2022-23571?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines.

What is the CVSS score for CVE-2022-23571?

CVE-2022-23571 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.46%.

What is the AI security impact?

Affected AI Architectures

model servinginference endpointstraining pipelines

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.7.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

Tensorflow is an Open Source Machine Learning Framework. When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments, if the tensors have an invalid `dtype` and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An attacker with API access to a TensorFlow Serving endpoint—e.g., an internal data scientist, a compromised CI/CD pipeline, or an external customer with trial access—crafts a protobuf-encoded PredictRequest containing a tensor with dtype set to an invalid value (0 or out-of-range enum) and an empty shape (0 elements). When TF deserializes this tensor, the CHECK assertion in the protobuf decoding path fires and aborts the serving process. The attacker automates this in a loop, causing continuous crashes that overwhelm the restart mechanism. Model inference becomes unavailable for all consumers, potentially triggering automated fallback behaviors or exposing secondary vulnerabilities in failover paths. No exploit code, AI expertise, or special tooling is required—only a protobuf library and knowledge of the TF Serving gRPC schema.

Weaknesses (CWE)

CWE-617 Reachable Assertion Primary CWE-617 Reachable Assertion

CWE-617 — Reachable Assertion: The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.

  • [Implementation] Make sensitive open/close operation non reachable by directly user-controlled data (e.g. open/close resources)
  • [Implementation] Perform input validation on user data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
February 4, 2022
Last Modified
November 21, 2024
First Seen
February 4, 2022

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed