CVE-2023-25658: TensorFlow OOB read — HIGH

CISO Take

This vulnerability allows an unauthenticated remote attacker to crash TensorFlow processes handling GRU-based model training or inference by supplying crafted tensor inputs, resulting in denial of service. Any organization running TensorFlow-based RNN/GRU workloads exposed to external inputs — including model-serving endpoints or shared training infrastructure — should patch to 2.12.0 or 2.11.1 immediately. No confidentiality or integrity impact confirmed, but availability disruption to training pipelines and inference endpoints is real and exploitable without privileges.

What is the risk?

HIGH for organizations running GRU/RNN-based model serving endpoints exposed to the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) means no authentication or user interaction is needed — any attacker who can submit inputs to a TensorFlow endpoint can trigger the crash. Risk is lower for air-gapped training environments or organizations not using GRU architectures. The lack of exploitation activity and absence from CISA KEV moderates urgency, but the trivial exploitability keeps this high priority for exposed deployments.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 30% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — only fix available, no workaround documented.
INVENTORY

Identify all services running TensorFlow with GRU/RNN model architectures (search for GRUCell, GRUBlockCell in model code).
ISOLATE

Ensure TensorFlow training and inference endpoints are not directly internet-exposed; enforce network segmentation and authentication before any model inference API.
DETECT

Monitor for unexpected TensorFlow process crashes or OOM errors — repeated crashes from a single source IP indicate exploitation attempts.
VALIDATE

After patching, run gradient checks on GRU models to confirm correct behavior is restored.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Code Execution Framework Inference Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Robustness and Availability

NIST AI RMF

MANAGE 2.4 - Residual Risk Monitoring for AI Dependencies

OWASP LLM Top 10

LLM09:2025 - Misinformation / Overreliance on Unvalidated Inputs

Frequently Asked Questions

What is CVE-2023-25658?

This vulnerability allows an unauthenticated remote attacker to crash TensorFlow processes handling GRU-based model training or inference by supplying crafted tensor inputs, resulting in denial of service. Any organization running TensorFlow-based RNN/GRU workloads exposed to external inputs — including model-serving endpoints or shared training infrastructure — should patch to 2.12.0 or 2.11.1 immediately. No confidentiality or integrity impact confirmed, but availability disruption to training pipelines and inference endpoints is real and exploitable without privileges.

Is CVE-2023-25658 actively exploited?

No confirmed active exploitation of CVE-2023-25658 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25658?

1. PATCH: Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — only fix available, no workaround documented. 2. INVENTORY: Identify all services running TensorFlow with GRU/RNN model architectures (search for GRUCell, GRUBlockCell in model code). 3. ISOLATE: Ensure TensorFlow training and inference endpoints are not directly internet-exposed; enforce network segmentation and authentication before any model inference API. 4. DETECT: Monitor for unexpected TensorFlow process crashes or OOM errors — repeated crashes from a single source IP indicate exploitation attempts. 5. VALIDATE: After patching, run gradient checks on GRU models to confirm correct behavior is restored.

What systems are affected by CVE-2023-25658?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML infrastructure.

What is the CVSS score for CVE-2023-25658?

CVE-2023-25658 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.38%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingML infrastructure

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0043 Craft Adversarial Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM09:2025

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, an out of bounds read is in GRUBlockCellGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An attacker targets an organization's publicly accessible model-serving API built on TensorFlow, hosting a sentiment analysis or time-series forecasting model using GRU layers. By crafting a malformed tensor input with dimensions that trigger the out-of-bounds read in GRUBlockCellGrad during gradient computation, the attacker repeatedly crashes the TensorFlow serving process. This disrupts real-time inference availability and — in training-as-a-service platforms — kills long-running training jobs. The attack requires no authentication, no AI/ML expertise to execute (just knowledge of the endpoint and the CVE PoC), and can be scripted for sustained denial of service.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.