CVE-2023-25659 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A remotely exploitable denial-of-service vulnerability in TensorFlow's DynamicStitch operation requires no authentication and no user interaction — any exposed TF Serving endpoint is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; this is a straightforward crash triggered by sending mismatched tensor shapes. Impact is availability-only, but production ML inference outages are operationally significant.

Risk Assessment

High severity for organizations running TensorFlow-based inference APIs exposed to untrusted input. CVSS 7.5 with network vector, low complexity, and no privileges required means exploitation is trivial and scriptable. The blast radius is limited to availability — no confidentiality or integrity loss — but a crashed ML serving layer can cascade into downstream service failures. Risk is elevated for MLaaS platforms and internal AI APIs that process external data.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 42% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — the only supported fix.
Workaround: Add input validation to assert indices.shape matches data.shape before invoking DynamicStitch; reject mismatched tensors at the API boundary.
Containment: Run TF Serving behind an API gateway with request schema validation; enforce tensor shape constraints via serving signatures.
Detection: Monitor TF Serving process crashes and abnormal terminations; alert on repeated SIGSEGV/SIGABRT from inference workers.
Inventory: Audit which models use DynamicStitch ops using saved_model_cli show --tag_set serve --signature_def serving_default.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.6.2.6 - AI System Robustness and Availability

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI system performance

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2023-25659?

A remotely exploitable denial-of-service vulnerability in TensorFlow's DynamicStitch operation requires no authentication and no user interaction — any exposed TF Serving endpoint is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; this is a straightforward crash triggered by sending mismatched tensor shapes. Impact is availability-only, but production ML inference outages are operationally significant.

Is CVE-2023-25659 actively exploited?

No confirmed active exploitation of CVE-2023-25659 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25659?

1. Patch: Upgrade TensorFlow to 2.12.0 or 2.11.1 — the only supported fix. 2. Workaround: Add input validation to assert indices.shape matches data.shape before invoking DynamicStitch; reject mismatched tensors at the API boundary. 3. Containment: Run TF Serving behind an API gateway with request schema validation; enforce tensor shape constraints via serving signatures. 4. Detection: Monitor TF Serving process crashes and abnormal terminations; alert on repeated SIGSEGV/SIGABRT from inference workers. 5. Inventory: Audit which models use DynamicStitch ops using saved_model_cli show --tag_set serve --signature_def serving_default.

What systems are affected by CVE-2023-25659?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs.

What is the CVSS score for CVE-2023-25659?

CVE-2023-25659 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.20%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the parameter `indices` for `DynamicStitch` does not match the shape of the parameter `data`, it can trigger an stack OOB read. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary identifies an organization's TensorFlow Serving endpoint (e.g., via Shodan or a public ML API). They craft a gRPC or REST predict request with a tensor payload where the indices array dimensions do not match the data tensor shape — a two-line Python script using the TF client. Upon receipt, TensorFlow processes the malformed op, triggers a stack out-of-bounds read, and the serving process crashes. With no rate limiting, the attacker automates this to continuously crash the service, causing persistent availability degradation to AI-powered features depending on that endpoint.