CVE-2023-25664 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2023-25664 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25664, increasing the risk of exploitation.

Q: How to fix CVE-2023-25664?

1. PATCH: Upgrade TensorFlow to 2.12.0 or 2.11.1 on all systems. Verify with `pip show tensorflow` or `pip show tensorflow-gpu`. 2. NETWORK ISOLATION: Immediately restrict TF Serving endpoints to internal networks only; block external access at firewall/load balancer level for unpatched instances. 3. INPUT VALIDATION: Implement shape and dtype validation at the API boundary before tensors reach the TF runtime — reject inputs with unexpected tensor dimensions. 4. DETECTION: Monitor TF Serving process for crashes/segfaults (crash logs, core dumps) which may indicate exploitation attempts. Enable process-level memory protection (ASLR, stack canaries) at OS level. 5. INVENTORY: Audit all TensorFlow versions across training clusters, inference servers, CI/CD pipelines, and developer machines. Flag tensorflow<2.11.1 as critical.

Q: What systems are affected by CVE-2023-25664?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, ML development environments.

Q: What is the CVSS score for CVE-2023-25664?

CVE-2023-25664 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.09%.

CISO Take

A critical heap buffer overflow (CVSS 9.8) in TensorFlow's TAvgPoolGrad operation is exploitable remotely with no authentication or user interaction — any exposed TensorFlow Serving endpoint is potentially vulnerable to remote code execution. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is blocked, isolate all TF Serving endpoints behind network controls. Treat any unpatched TF inference infrastructure as compromised until remediated.

Risk Assessment

Extremely high risk. The CVSS 9.8 score reflects the worst-case attack surface: network-accessible, zero privileges required, zero user interaction. AvgPooling layers are ubiquitous in CNN architectures (image classification, object detection, embedding models), meaning a large percentage of deployed TensorFlow models use the vulnerable code path. TensorFlow Serving is commonly exposed internally or externally in MLOps pipelines, making this trivially reachable by an attacker with network access. The heap buffer overflow primitive in a memory-unsafe C++ backend provides a credible path to full RCE.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 25% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.12.0 or 2.11.1 on all systems. Verify with pip show tensorflow or pip show tensorflow-gpu.
NETWORK ISOLATION

Immediately restrict TF Serving endpoints to internal networks only; block external access at firewall/load balancer level for unpatched instances.
INPUT VALIDATION

Implement shape and dtype validation at the API boundary before tensors reach the TF runtime — reject inputs with unexpected tensor dimensions.
DETECTION

Monitor TF Serving process for crashes/segfaults (crash logs, core dumps) which may indicate exploitation attempts. Enable process-level memory protection (ASLR, stack canaries) at OS level.
INVENTORY

Audit all TensorFlow versions across training clusters, inference servers, CI/CD pipelines, and developer machines. Flag tensorflow<2.11.1 as critical.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0000 - Search Open Technical Databases AML.T0010.001 - AI Software AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.10.3 - Supplier and third-party relationships A.8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN 6.1 - Policies and procedures for AI risk and impact assessment MANAGE 2.2 - Mechanisms to sustain oversight of AI systems

Frequently Asked Questions

What is CVE-2023-25664?

A critical heap buffer overflow (CVSS 9.8) in TensorFlow's TAvgPoolGrad operation is exploitable remotely with no authentication or user interaction — any exposed TensorFlow Serving endpoint is potentially vulnerable to remote code execution. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is blocked, isolate all TF Serving endpoints behind network controls. Treat any unpatched TF inference infrastructure as compromised until remediated.

Is CVE-2023-25664 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25664, increasing the risk of exploitation.

How to fix CVE-2023-25664?

1. PATCH: Upgrade TensorFlow to 2.12.0 or 2.11.1 on all systems. Verify with `pip show tensorflow` or `pip show tensorflow-gpu`. 2. NETWORK ISOLATION: Immediately restrict TF Serving endpoints to internal networks only; block external access at firewall/load balancer level for unpatched instances. 3. INPUT VALIDATION: Implement shape and dtype validation at the API boundary before tensors reach the TF runtime — reject inputs with unexpected tensor dimensions. 4. DETECTION: Monitor TF Serving process for crashes/segfaults (crash logs, core dumps) which may indicate exploitation attempts. Enable process-level memory protection (ASLR, stack canaries) at OS level. 5. INVENTORY: Audit all TensorFlow versions across training clusters, inference servers, CI/CD pipelines, and developer machines. Flag tensorflow<2.11.1 as critical.

What systems are affected by CVE-2023-25664?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference APIs, ML development environments.

What is the CVSS score for CVE-2023-25664?

CVE-2023-25664 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.09%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a heap buffer overflow in TAvgPoolGrad. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An attacker identifies a TensorFlow Serving instance (default ports 8500/8501) exposed on an internal ML platform or via a misconfigured cloud security group. They send a crafted gRPC or REST inference request containing malformed tensor inputs designed to trigger the TAvgPoolGrad backward pass with invalid buffer dimensions. The heap buffer overflow corrupts adjacent memory, enabling controlled write primitives. With moderate exploit development effort, this achieves RCE under the TF Serving process account — which in MLOps environments often has broad access to model artifacts, training data stores, and cloud credentials. No credentials or prior access are required.