CVE-2022-23591 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any system loading untrusted or externally-sourced TensorFlow SavedModel files is vulnerable to availability disruption via crafted recursive GraphDef fragments. Patch TensorFlow to 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately. If your ML pipeline accepts user-uploaded models or pulls models from external registries without validation, treat those as untrusted input and sandbox the loading process.

Risk Assessment

High severity (CVSS 7.5) with network-reachable, zero-privilege, no-interaction attack path makes this straightforward to trigger remotely. Blast radius is limited to availability—no confidentiality or integrity impact—but in ML inference serving infrastructure, repeated crashes equate to service outage. Risk elevates significantly for platforms exposing model upload functionality or pulling models from shared registries without integrity verification.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 56% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.8.0, or cherry-pick fix (commit 448a168) into 2.7.1, 2.6.3, or 2.5.3.
INPUT VALIDATION

Validate SavedModel provenance—only load models from trusted, signed sources. Implement model artifact signing (e.g., Sigstore/cosign) in your ML pipeline.
SANDBOX

Run model loading in isolated subprocess or container with resource limits (ulimit -s) to contain stack overflow impact.
DETECT

Monitor for unexpected TF Serving/worker process crashes—repeated crash-restart cycles on model load are an indicator.
REGISTRY HYGIENE

Audit any community model checkpoints pulled from Hugging Face, TF Hub, or internal registries and verify against known-good hashes.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Supply Chain Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment 8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-6.1 - Third-party risk policies MANAGE-2.2 - Mechanisms for responding to AI risks

Frequently Asked Questions

What is CVE-2022-23591?

Any system loading untrusted or externally-sourced TensorFlow SavedModel files is vulnerable to availability disruption via crafted recursive GraphDef fragments. Patch TensorFlow to 2.8.0, 2.7.1, 2.6.3, or 2.5.3 immediately. If your ML pipeline accepts user-uploaded models or pulls models from external registries without validation, treat those as untrusted input and sandbox the loading process.

Is CVE-2022-23591 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-23591, increasing the risk of exploitation.

How to fix CVE-2022-23591?

1. PATCH: Upgrade TensorFlow to 2.8.0, or cherry-pick fix (commit 448a168) into 2.7.1, 2.6.3, or 2.5.3. 2. INPUT VALIDATION: Validate SavedModel provenance—only load models from trusted, signed sources. Implement model artifact signing (e.g., Sigstore/cosign) in your ML pipeline. 3. SANDBOX: Run model loading in isolated subprocess or container with resource limits (ulimit -s) to contain stack overflow impact. 4. DETECT: Monitor for unexpected TF Serving/worker process crashes—repeated crash-restart cycles on model load are an indicator. 5. REGISTRY HYGIENE: Audit any community model checkpoints pulled from Hugging Face, TF Hub, or internal registries and verify against known-good hashes.

What systems are affected by CVE-2022-23591?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, model registries, MLOps platforms.

What is the CVSS score for CVE-2022-23591?

CVE-2022-23591 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.34%.

Technical Details

NVD Description

Tensorflow is an Open Source Machine Learning Framework. The `GraphDef` format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a `GraphDef` containing a fragment such as the following can be consumed when loading a `SavedModel`. This would result in a stack overflow during execution as resolving each `NodeDef` means resolving the function itself and its nodes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

Exploitation Scenario

An adversary targeting an organization's ML inference platform crafts a malicious TensorFlow SavedModel containing a GraphDef with a self-recursive function definition. They upload it to the organization's model registry (exploiting weak upload controls) or serve it via a compromised third-party model hub. When the MLOps pipeline or TF Serving instance loads the checkpoint for deployment, the recursive NodeDef resolution triggers unbounded stack growth, crashing the inference worker. In a shared multi-tenant serving infrastructure, this could deny service to all models hosted on the affected worker pod.