CVE-2023-25660 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment exposing model inference endpoints is at risk of remote crash with zero authentication required. An attacker can trigger a segfault by crafting input that reaches `tf.raw_ops.Print` with `summarize=0`, taking down your serving infrastructure. Patch immediately to TensorFlow 2.12.0 or 2.11.1 — no workaround replaces the fix.

Risk Assessment

High risk for production ML serving environments. The CVSS vector (AV:N/AC:L/PR:N/UI:N) means this is trivially exploitable over the network with no credentials. While impact is limited to availability (no data exfiltration), crashing a production inference endpoint can have serious operational consequences for AI-dependent products and services. Risk is elevated for organizations with externally exposed TensorFlow serving APIs and reduced for purely internal training workloads.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 47% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

Patch

Upgrade to TensorFlow >= 2.12.0 or >= 2.11.1 immediately.
Audit

Scan model graphs for embedded tf.raw_ops.Print operations before deploying to production using SavedModel inspection tools.
Input validation

At inference API boundaries, validate and sanitize integer parameters before they reach TF ops.
Detection

Monitor for abnormal process crashes or segfaults in TensorFlow serving processes — these may indicate exploitation attempts.
Isolation

Run TensorFlow inference in containerized environments with restart policies to limit DoS impact window.
Deprecate debug ops

Remove Print ops from production model graphs — they serve no runtime purpose and expand attack surface.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk Management System

ISO 42001

A.6.2.6 - AI System Operation

NIST AI RMF

GOVERN-1.7 - Processes for AI risk monitoring and management MANAGE-2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM06:2025 - Excessive Agency / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-25660?

Any TensorFlow deployment exposing model inference endpoints is at risk of remote crash with zero authentication required. An attacker can trigger a segfault by crafting input that reaches `tf.raw_ops.Print` with `summarize=0`, taking down your serving infrastructure. Patch immediately to TensorFlow 2.12.0 or 2.11.1 — no workaround replaces the fix.

Is CVE-2023-25660 actively exploited?

No confirmed active exploitation of CVE-2023-25660 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25660?

1. **Patch**: Upgrade to TensorFlow >= 2.12.0 or >= 2.11.1 immediately. 2. **Audit**: Scan model graphs for embedded `tf.raw_ops.Print` operations before deploying to production using SavedModel inspection tools. 3. **Input validation**: At inference API boundaries, validate and sanitize integer parameters before they reach TF ops. 4. **Detection**: Monitor for abnormal process crashes or segfaults in TensorFlow serving processes — these may indicate exploitation attempts. 5. **Isolation**: Run TensorFlow inference in containerized environments with restart policies to limit DoS impact window. 6. **Deprecate debug ops**: Remove `Print` ops from production model graphs — they serve no runtime purpose and expand attack surface.

What systems are affected by CVE-2023-25660?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints, ML model deployment.

What is the CVSS score for CVE-2023-25660?

CVE-2023-25660 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when the parameter `summarize` of `tf.raw_ops.Print` is zero, the new method `SummarizeArray<bool>` will reference to a nullptr, leading to a seg fault. A fix is included in TensorFlow version 2.12 and version 2.11.1.

Exploitation Scenario

An adversary identifies a public-facing TensorFlow Serving endpoint hosting a model that includes `tf.raw_ops.Print` with a user-influenced `summarize` parameter (common in debug-enabled exports). The attacker sends a crafted inference request with `summarize=0`, which triggers `SummarizeArray<bool>` to dereference a null pointer, causing an immediate segfault and crashing the serving process. In a Kubernetes deployment without proper liveness probes, this can result in extended downtime. The attack requires no authentication, no ML knowledge, and can be automated to repeatedly crash restarted instances, achieving sustained denial of service against AI-dependent applications.