CVE-2023-25664: TensorFlow heap overflow

Q: Is CVE-2023-25664 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25664, increasing the risk of exploitation.

Q: How to fix CVE-2023-25664?

1. PATCH: Upgrade TensorFlow to 2.12.0 or 2.11.1 on all systems. Verify with `pip show tensorflow` or `pip show tensorflow-gpu`. 2. NETWORK ISOLATION: Immediately restrict TF Serving endpoints to internal networks only; block external access at firewall/load balancer level for unpatched instances. 3. INPUT VALIDATION: Implement shape and dtype validation at the API boundary before tensors reach the TF runtime — reject inputs with unexpected tensor dimensions. 4. DETECTION: Monitor TF Serving process for crashes/segfaults (crash logs, core dumps) which may indicate exploitation attempts. Enable process-level memory protection (ASLR, stack canaries) at OS level. 5. INVENTORY: Audit all TensorFlow versions across training clusters, inference servers, CI/CD pipelines, and developer machines. Flag tensorflow<2.11.1 as critical.

Q: What systems are affected by CVE-2023-25664?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, ML development environments.

Q: What is the CVSS score for CVE-2023-25664?

CVE-2023-25664 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.41%.

CISO Take

A critical heap buffer overflow (CVSS 9.8) in TensorFlow's TAvgPoolGrad operation is exploitable remotely with no authentication or user interaction — any exposed TensorFlow Serving endpoint is potentially vulnerable to remote code execution. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is blocked, isolate all TF Serving endpoints behind network controls. Treat any unpatched TF inference infrastructure as compromised until remediated.

What is the risk?

Extremely high risk. The CVSS 9.8 score reflects the worst-case attack surface: network-accessible, zero privileges required, zero user interaction. AvgPooling layers are ubiquitous in CNN architectures (image classification, object detection, embedding models), meaning a large percentage of deployed TensorFlow models use the vulnerable code path. TensorFlow Serving is commonly exposed internally or externally in MLOps pipelines, making this trivially reachable by an attacker with network access. The heap buffer overflow primitive in a memory-unsafe C++ backend provides a credible path to full RCE.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 33% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

PATCH

Upgrade TensorFlow to 2.12.0 or 2.11.1 on all systems. Verify with pip show tensorflow or pip show tensorflow-gpu.
NETWORK ISOLATION

Immediately restrict TF Serving endpoints to internal networks only; block external access at firewall/load balancer level for unpatched instances.
INPUT VALIDATION

Implement shape and dtype validation at the API boundary before tensors reach the TF runtime — reject inputs with unexpected tensor dimensions.
DETECTION

Monitor TF Serving process for crashes/segfaults (crash logs, core dumps) which may indicate exploitation attempts. Enable process-level memory protection (ASLR, stack canaries) at OS level.
INVENTORY

Audit all TensorFlow versions across training clusters, inference servers, CI/CD pipelines, and developer machines. Flag tensorflow<2.11.1 as critical.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework Inference AML.T0000 - Search Open Technical Databases AML.T0010.001 - AI Software AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.3 - Supplier and third-party relationships A.8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk and impact assessment MANAGE 2.2 - Mechanisms to sustain oversight of AI systems

Frequently Asked Questions

What is CVE-2023-25664?

A critical heap buffer overflow (CVSS 9.8) in TensorFlow's TAvgPoolGrad operation is exploitable remotely with no authentication or user interaction — any exposed TensorFlow Serving endpoint is potentially vulnerable to remote code execution. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is blocked, isolate all TF Serving endpoints behind network controls. Treat any unpatched TF inference infrastructure as compromised until remediated.

Is CVE-2023-25664 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25664, increasing the risk of exploitation.

How to fix CVE-2023-25664?

1. PATCH: Upgrade TensorFlow to 2.12.0 or 2.11.1 on all systems. Verify with `pip show tensorflow` or `pip show tensorflow-gpu`. 2. NETWORK ISOLATION: Immediately restrict TF Serving endpoints to internal networks only; block external access at firewall/load balancer level for unpatched instances. 3. INPUT VALIDATION: Implement shape and dtype validation at the API boundary before tensors reach the TF runtime — reject inputs with unexpected tensor dimensions. 4. DETECTION: Monitor TF Serving process for crashes/segfaults (crash logs, core dumps) which may indicate exploitation attempts. Enable process-level memory protection (ASLR, stack canaries) at OS level. 5. INVENTORY: Audit all TensorFlow versions across training clusters, inference servers, CI/CD pipelines, and developer machines. Flag tensorflow<2.11.1 as critical.

What systems are affected by CVE-2023-25664?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, ML development environments.

What is the CVSS score for CVE-2023-25664?

CVE-2023-25664 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.41%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference APIsML development environments

MITRE ATLAS Techniques

AML.T0000 Search Open Technical Databases

AML.T0010.001 AI Software

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.10.3, A.8.4

NIST AI RMF: GOVERN 6.1, MANAGE 2.2

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An attacker identifies a TensorFlow Serving instance (default ports 8500/8501) exposed on an internal ML platform or via a misconfigured cloud security group. They send a crafted gRPC or REST inference request containing malformed tensor inputs designed to trigger the TAvgPoolGrad backward pass with invalid buffer dimensions. The heap buffer overflow corrupts adjacent memory, enabling controlled write primitives. With moderate exploit development effort, this achieves RCE under the TF Serving process account — which in MLOps environments often has broad access to model artifacts, training data stores, and cloud credentials. No credentials or prior access are required.

Weaknesses (CWE)

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-122 Heap-based Buffer Overflow

CWE-120 — Buffer Copy without Checking Size of Input ('Classic Buffer Overflow'): The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.