CVE-2023-25658 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

This vulnerability allows an unauthenticated remote attacker to crash TensorFlow processes handling GRU-based model training or inference by supplying crafted tensor inputs, resulting in denial of service. Any organization running TensorFlow-based RNN/GRU workloads exposed to external inputs — including model-serving endpoints or shared training infrastructure — should patch to 2.12.0 or 2.11.1 immediately. No confidentiality or integrity impact confirmed, but availability disruption to training pipelines and inference endpoints is real and exploitable without privileges.

Risk Assessment

HIGH for organizations running GRU/RNN-based model serving endpoints exposed to the network. The CVSS vector (AV:N/AC:L/PR:N/UI:N) means no authentication or user interaction is needed — any attacker who can submit inputs to a TensorFlow endpoint can trigger the crash. Risk is lower for air-gapped training environments or organizations not using GRU architectures. The lack of exploitation activity and absence from CISA KEV moderates urgency, but the trivial exploitability keeps this high priority for exposed deployments.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — only fix available, no workaround documented.
INVENTORY

Identify all services running TensorFlow with GRU/RNN model architectures (search for GRUCell, GRUBlockCell in model code).
ISOLATE

Ensure TensorFlow training and inference endpoints are not directly internet-exposed; enforce network segmentation and authentication before any model inference API.
DETECT

Monitor for unexpected TensorFlow process crashes or OOM errors — repeated crashes from a single source IP indicate exploitation attempts.
VALIDATE

After patching, run gradient checks on GRU models to confirm correct behavior is restored.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Code Execution Framework Inference Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.5 - AI System Robustness and Availability

NIST AI RMF

MANAGE 2.4 - Residual Risk Monitoring for AI Dependencies

OWASP LLM Top 10

LLM09:2025 - Misinformation / Overreliance on Unvalidated Inputs

Frequently Asked Questions

What is CVE-2023-25658?

This vulnerability allows an unauthenticated remote attacker to crash TensorFlow processes handling GRU-based model training or inference by supplying crafted tensor inputs, resulting in denial of service. Any organization running TensorFlow-based RNN/GRU workloads exposed to external inputs — including model-serving endpoints or shared training infrastructure — should patch to 2.12.0 or 2.11.1 immediately. No confidentiality or integrity impact confirmed, but availability disruption to training pipelines and inference endpoints is real and exploitable without privileges.

Is CVE-2023-25658 actively exploited?

No confirmed active exploitation of CVE-2023-25658 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25658?

1. PATCH: Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — only fix available, no workaround documented. 2. INVENTORY: Identify all services running TensorFlow with GRU/RNN model architectures (search for GRUCell, GRUBlockCell in model code). 3. ISOLATE: Ensure TensorFlow training and inference endpoints are not directly internet-exposed; enforce network segmentation and authentication before any model inference API. 4. DETECT: Monitor for unexpected TensorFlow process crashes or OOM errors — repeated crashes from a single source IP indicate exploitation attempts. 5. VALIDATE: After patching, run gradient checks on GRU models to confirm correct behavior is restored.

What systems are affected by CVE-2023-25658?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML infrastructure.

What is the CVSS score for CVE-2023-25658?

CVE-2023-25658 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, an out of bounds read is in GRUBlockCellGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An attacker targets an organization's publicly accessible model-serving API built on TensorFlow, hosting a sentiment analysis or time-series forecasting model using GRU layers. By crafting a malformed tensor input with dimensions that trigger the out-of-bounds read in GRUBlockCellGrad during gradient computation, the attacker repeatedly crashes the TensorFlow serving process. This disrupts real-time inference availability and — in training-as-a-service platforms — kills long-running training jobs. The attack requires no authentication, no AI/ML expertise to execute (just knowledge of the endpoint and the CVE PoC), and can be scripted for sustained denial of service.