AI Threat Alert

CVE-2023-25659: TensorFlow: OOB read in DynamicStitch enables DoS

HIGH
Published March 25, 2023
CISO Take

A remotely exploitable denial-of-service vulnerability in TensorFlow's DynamicStitch operation requires no authentication and no user interaction — any exposed TF Serving endpoint is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; this is a straightforward crash triggered by sending mismatched tensor shapes. Impact is availability-only, but production ML inference outages are operationally significant.

What is the risk?

High severity for organizations running TensorFlow-based inference APIs exposed to untrusted input. CVSS 7.5 with network vector, low complexity, and no privileges required means exploitation is trivial and scriptable. The blast radius is limited to availability — no confidentiality or integrity loss — but a crashed ML serving layer can cascade into downstream service failures. Risk is elevated for MLaaS platforms and internal AI APIs that process external data.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 31% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — the only supported fix.

  2. Workaround: Add input validation to assert indices.shape matches data.shape before invoking DynamicStitch; reject mismatched tensors at the API boundary.

  3. Containment: Run TF Serving behind an API gateway with request schema validation; enforce tensor shape constraints via serving signatures.

  4. Detection: Monitor TF Serving process crashes and abnormal terminations; alert on repeated SIGSEGV/SIGABRT from inference workers.

  5. Inventory: Audit which models use DynamicStitch ops using saved_model_cli show --tag_set serve --signature_def serving_default.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - AI System Robustness and Availability
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain AI system performance
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2023-25659?

A remotely exploitable denial-of-service vulnerability in TensorFlow's DynamicStitch operation requires no authentication and no user interaction — any exposed TF Serving endpoint is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; this is a straightforward crash triggered by sending mismatched tensor shapes. Impact is availability-only, but production ML inference outages are operationally significant.

Is CVE-2023-25659 actively exploited?

No confirmed active exploitation of CVE-2023-25659 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25659?

1. Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — the only supported fix. 2. Workaround: Add input validation to assert indices.shape matches data.shape before invoking DynamicStitch; reject mismatched tensors at the API boundary. 3. Containment: Run TF Serving behind an API gateway with request schema validation; enforce tensor shape constraints via serving signatures. 4. Detection: Monitor TF Serving process crashes and abnormal terminations; alert on repeated SIGSEGV/SIGABRT from inference workers. 5. Inventory: Audit which models use DynamicStitch ops using saved_model_cli show --tag_set serve --signature_def serving_default.

What systems are affected by CVE-2023-25659?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs.

What is the CVSS score for CVE-2023-25659?

CVE-2023-25659 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference APIs

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary identifies an organization's TensorFlow Serving endpoint (e.g., via Shodan or a public ML API). They craft a gRPC or REST predict request with a tensor payload where the indices array dimensions do not match the data tensor shape — a two-line Python script using the TF client. Upon receipt, TensorFlow processes the malformed op, triggers a stack out-of-bounds read, and the serving process crashes. With no rate limiting, the attacker automates this to continuously crash the service, causing persistent availability degradation to AI-powered features depending on that endpoint.

Weaknesses (CWE)

CWE-125 Out-of-bounds Read

CWE-125 — Out-of-bounds Read: The product reads data past the end, or before the beginning, of the intended buffer.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] Use a language that provides appropriate memory abstractions.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 25, 2023
Last Modified
November 21, 2024
First Seen
March 25, 2023

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed