CVE-2023-25663: TensorFlow null ptr deref crashes

Q: Is CVE-2023-25663 actively exploited?

No confirmed active exploitation of CVE-2023-25663 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2023-25663?

1. Patch: Upgrade to TensorFlow 2.12.0 or 2.11.1 — official fix available, no workaround otherwise. 2. Network controls: Place TF Serving behind an API gateway or reverse proxy; never expose raw TF endpoints to the public internet. 3. Process supervision: Ensure serving processes auto-restart (systemd, Kubernetes liveness probes) to minimize downtime window. 4. Detection: Monitor for abnormal crash/restart patterns in TF serving processes; unexpected SIGSEGV/SIGABRT signals from tensorflow-serving are a red flag. 5. Inventory: Audit all ML infrastructure for TF version — include transitive dependencies in Python environments.

Q: What systems are affected by CVE-2023-25663?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, real-time prediction APIs.

Q: What is the CVSS score for CVE-2023-25663?

CVE-2023-25663 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

CISO Take

A network-accessible null pointer dereference in TensorFlow allows unauthenticated attackers to crash any TF serving endpoint — no privileges or user interaction required. Any production inference infrastructure running TF < 2.11.1 or < 2.12.0 is a single malformed request away from downtime. Patch immediately; this is a high-availability risk for AI-powered products.

What is the risk?

High availability risk. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable from the internet with no prerequisites. The blast radius is limited to DoS (no code execution or data exfiltration), but in production ML inference environments, availability IS the product. Not in KEV, but low exploitation barrier means opportunistic scanning is probable.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 31% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Patch: Upgrade to TensorFlow 2.12.0 or 2.11.1 — official fix available, no workaround otherwise.
Network controls: Place TF Serving behind an API gateway or reverse proxy; never expose raw TF endpoints to the public internet.
Process supervision: Ensure serving processes auto-restart (systemd, Kubernetes liveness probes) to minimize downtime window.
Detection: Monitor for abnormal crash/restart patterns in TF serving processes; unexpected SIGSEGV/SIGABRT signals from tensorflow-serving are a red flag.
Inventory: Audit all ML infrastructure for TF version — include transitive dependencies in Python environments.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system for high-risk AI

ISO 42001

A.6.2 - AI system operation and monitoring

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM09 - Overreliance / Misinformation (infrastructure reliability angle)

Frequently Asked Questions

What is CVE-2023-25663?

A network-accessible null pointer dereference in TensorFlow allows unauthenticated attackers to crash any TF serving endpoint — no privileges or user interaction required. Any production inference infrastructure running TF < 2.11.1 or < 2.12.0 is a single malformed request away from downtime. Patch immediately; this is a high-availability risk for AI-powered products.

Is CVE-2023-25663 actively exploited?

No confirmed active exploitation of CVE-2023-25663 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25663?

1. Patch: Upgrade to TensorFlow 2.12.0 or 2.11.1 — official fix available, no workaround otherwise. 2. Network controls: Place TF Serving behind an API gateway or reverse proxy; never expose raw TF endpoints to the public internet. 3. Process supervision: Ensure serving processes auto-restart (systemd, Kubernetes liveness probes) to minimize downtime window. 4. Detection: Monitor for abnormal crash/restart patterns in TF serving processes; unexpected SIGSEGV/SIGABRT signals from tensorflow-serving are a red flag. 5. Inventory: Audit all ML infrastructure for TF version — include transitive dependencies in Python environments.

What systems are affected by CVE-2023-25663?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, real-time prediction APIs.

What is the CVSS score for CVE-2023-25663?

CVE-2023-25663 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

model servinginference endpointstraining pipelinesreal-time prediction APIs

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM09

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `ctx->step_containter()` is a null ptr, the Lookup function will be executed with a null pointer. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An adversary identifies a public-facing API endpoint backed by TensorFlow Serving (e.g., a recommendation engine or fraud detection model). By crafting a specific inference request that triggers the Lookup function on an uninitialized step_container, the adversary forces a null pointer dereference and crashes the serving process. With no rate limiting in place, the attacker can script continuous crashing to maintain a sustained DoS against the AI inference layer — effectively disabling the AI-powered feature without touching application code or bypassing authentication.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

[Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
[Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.