AI Threat Alert AI Threat Alert

CVE-2023-25663: TensorFlow: null ptr deref crashes inference serving

HIGH
Published March 25, 2023
CISO Take

A network-accessible null pointer dereference in TensorFlow allows unauthenticated attackers to crash any TF serving endpoint — no privileges or user interaction required. Any production inference infrastructure running TF < 2.11.1 or < 2.12.0 is a single malformed request away from downtime. Patch immediately; this is a high-availability risk for AI-powered products.

Risk Assessment

High availability risk. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable from the internet with no prerequisites. The blast radius is limited to DoS (no code execution or data exfiltration), but in production ML inference environments, availability IS the product. Not in KEV, but low exploitation barrier means opportunistic scanning is probable.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Patch: Upgrade to TensorFlow 2.12.0 or 2.11.1 — official fix available, no workaround otherwise.

  2. Network controls: Place TF Serving behind an API gateway or reverse proxy; never expose raw TF endpoints to the public internet.

  3. Process supervision: Ensure serving processes auto-restart (systemd, Kubernetes liveness probes) to minimize downtime window.

  4. Detection: Monitor for abnormal crash/restart patterns in TF serving processes; unexpected SIGSEGV/SIGABRT signals from tensorflow-serving are a red flag.

  5. Inventory: Audit all ML infrastructure for TF version — include transitive dependencies in Python environments.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system for high-risk AI
ISO 42001
A.6.2 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM09 - Overreliance / Misinformation (infrastructure reliability angle)

Frequently Asked Questions

What is CVE-2023-25663?

A network-accessible null pointer dereference in TensorFlow allows unauthenticated attackers to crash any TF serving endpoint — no privileges or user interaction required. Any production inference infrastructure running TF < 2.11.1 or < 2.12.0 is a single malformed request away from downtime. Patch immediately; this is a high-availability risk for AI-powered products.

Is CVE-2023-25663 actively exploited?

No confirmed active exploitation of CVE-2023-25663 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25663?

1. Patch: Upgrade to TensorFlow 2.12.0 or 2.11.1 — official fix available, no workaround otherwise. 2. Network controls: Place TF Serving behind an API gateway or reverse proxy; never expose raw TF endpoints to the public internet. 3. Process supervision: Ensure serving processes auto-restart (systemd, Kubernetes liveness probes) to minimize downtime window. 4. Detection: Monitor for abnormal crash/restart patterns in TF serving processes; unexpected SIGSEGV/SIGABRT signals from tensorflow-serving are a red flag. 5. Inventory: Audit all ML infrastructure for TF version — include transitive dependencies in Python environments.

What systems are affected by CVE-2023-25663?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference endpoints, training pipelines, real-time prediction APIs.

What is the CVSS score for CVE-2023-25663?

CVE-2023-25663 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, when `ctx->step_containter()` is a null ptr, the Lookup function will be executed with a null pointer. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An adversary identifies a public-facing API endpoint backed by TensorFlow Serving (e.g., a recommendation engine or fraud detection model). By crafting a specific inference request that triggers the Lookup function on an uninitialized step_container, the adversary forces a null pointer dereference and crashes the serving process. With no rate limiting in place, the attacker can script continuous crashing to maintain a sustained DoS against the AI inference layer — effectively disabling the AI-powered feature without touching application code or bypassing authentication.

Weaknesses (CWE)

CWE-476

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 25, 2023
Last Modified
November 21, 2024
First Seen
March 25, 2023

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed