CVE-2023-25666 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment exposing audio spectrogram inference to untrusted inputs is vulnerable to remote process crashes with no authentication required. Patch immediately to TensorFlow 2.12.0 or 2.11.1 — this is a one-line version bump with no workaround available. Audio-based ML services (speech recognition, sound classification, media analysis) should treat this as P1 if internet-facing.

Risk Assessment

Practical risk is HIGH for exposed audio ML inference endpoints. The CVSS 7.5 reflects the low attack complexity and zero privilege requirement — an unauthenticated attacker can crash the TF process by submitting a malformed audio payload. Impact is pure availability: no data exfiltration, no code execution. Organizations running audio ML in shared inference infrastructure (multi-tenant model servers) face amplified risk as a single crash affects all co-hosted models.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 17% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — no functional workaround exists.
DETECT

Monitor for sudden TF process terminations or inference service crashes; correlate with incoming audio payloads. Add input validation to reject audio inputs with zero-length or pathological dimensions before they reach the TF graph.
ISOLATE

Run audio inference in separate processes/containers from other model serving to contain blast radius of a crash.
SCAN

Audit all TF versions across model serving infrastructure; flag anything below 2.11.1.
WAF/API GATEWAY: Enforce audio payload size limits and format validation at the API layer upstream of the TF inference server.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system availability and resilience

NIST AI RMF

MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of deployed AI systems MEASURE-2.5 - AI system robustness is evaluated and documented

Frequently Asked Questions

What is CVE-2023-25666?

Any TensorFlow deployment exposing audio spectrogram inference to untrusted inputs is vulnerable to remote process crashes with no authentication required. Patch immediately to TensorFlow 2.12.0 or 2.11.1 — this is a one-line version bump with no workaround available. Audio-based ML services (speech recognition, sound classification, media analysis) should treat this as P1 if internet-facing.

Is CVE-2023-25666 actively exploited?

No confirmed active exploitation of CVE-2023-25666 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25666?

1. PATCH: Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — no functional workaround exists. 2. DETECT: Monitor for sudden TF process terminations or inference service crashes; correlate with incoming audio payloads. Add input validation to reject audio inputs with zero-length or pathological dimensions before they reach the TF graph. 3. ISOLATE: Run audio inference in separate processes/containers from other model serving to contain blast radius of a crash. 4. SCAN: Audit all TF versions across model serving infrastructure; flag anything below 2.11.1. 5. WAF/API GATEWAY: Enforce audio payload size limits and format validation at the API layer upstream of the TF inference server.

What systems are affected by CVE-2023-25666?

This vulnerability affects the following AI/ML architecture patterns: model serving, audio processing pipelines, training pipelines, media analysis pipelines.

What is the CVSS score for CVE-2023-25666?

CVE-2023-25666 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.05%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, there is a floating point exception in AudioSpectrogram. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary identifies a public-facing audio classification or speech recognition API backed by TensorFlow. They craft a malformed audio payload — for example, a WAV file with parameters designed to produce a zero-denominator condition in the AudioSpectrogram FFT computation. Submitting this payload via a standard HTTP POST to the inference endpoint triggers a floating point exception (SIGFPE) in the TF runtime, crashing the serving process. In a containerized deployment without auto-restart, this takes the service offline. With auto-restart, the attacker repeatedly submits the payload to maintain a persistent denial of service at minimal cost — no authentication, no special tooling required, just crafted audio bytes.