CVE-2023-25667 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2023-25667 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25667, increasing the risk of exploitation.

Q: How to fix CVE-2023-25667?

1. PATCH: Upgrade to TensorFlow ≥2.12.0 or ≥2.11.1. Both branches contain the fix (commit 8dc723f). 2. WORKAROUND: Enforce strict input validation before TF ops — reject images where num_frames × height × width × channels ≥ 2^31. Add server-side dimension caps (e.g., max 1920×1080, max 300 frames). 3. DETECTION: Monitor for repeated crashes or OOM errors in TF Serving logs with large image payloads. Alert on process restarts in model-serving pods. 4. HARDENING: Run TF Serving in isolated containers with resource limits and automatic restart policies to minimize blast radius. 5. DEPENDENCY AUDIT: Scan requirements.txt / conda environments across ML repos for pinned tensorflow < 2.11.1.

Q: What systems are affected by CVE-2023-25667?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference, computer vision APIs.

Q: What is the CVSS score for CVE-2023-25667?

CVE-2023-25667 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

CISO Take

Any TensorFlow deployment that accepts image or video input from untrusted sources is exploitable without authentication — an attacker can crash the process by sending a crafted frame buffer exceeding 2^31 pixels in total size. Upgrade to TensorFlow 2.12.0 or 2.11.1 immediately; if patching is delayed, validate input dimensions before they reach TF decode operations. No active exploitation reported, but the low-complexity network vector makes this a realistic threat to exposed model-serving endpoints.

Risk Assessment

CVSS 7.5 High with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable from the network with no credentials. Impact is limited to availability (no code execution, no data disclosure), but crashing a TensorFlow serving process in production causes direct revenue and SLA impact. Risk is highest for organizations exposing TF Serving or custom Flask/FastAPI endpoints that pass raw image/video bytes directly into TensorFlow ops. On-premises and cloud inference APIs accepting multipart uploads or video URLs are the primary attack surface.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 43% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow ≥2.12.0 or ≥2.11.1. Both branches contain the fix (commit 8dc723f).
WORKAROUND

Enforce strict input validation before TF ops — reject images where num_frames × height × width × channels ≥ 2^31. Add server-side dimension caps (e.g., max 1920×1080, max 300 frames).
DETECTION

Monitor for repeated crashes or OOM errors in TF Serving logs with large image payloads. Alert on process restarts in model-serving pods.
HARDENING

Run TF Serving in isolated containers with resource limits and automatic restart policies to minimize blast radius.
DEPENDENCY AUDIT

Scan requirements.txt / conda environments across ML repos for pinned tensorflow < 2.11.1.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk treatment 8.4 - AI system operation

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain AI operations under adversarial conditions MAP-5.1 - Likelihood and impact of AI risks assessed

Frequently Asked Questions

What is CVE-2023-25667?

Any TensorFlow deployment that accepts image or video input from untrusted sources is exploitable without authentication — an attacker can crash the process by sending a crafted frame buffer exceeding 2^31 pixels in total size. Upgrade to TensorFlow 2.12.0 or 2.11.1 immediately; if patching is delayed, validate input dimensions before they reach TF decode operations. No active exploitation reported, but the low-complexity network vector makes this a realistic threat to exposed model-serving endpoints.

Is CVE-2023-25667 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25667, increasing the risk of exploitation.

How to fix CVE-2023-25667?

1. PATCH: Upgrade to TensorFlow ≥2.12.0 or ≥2.11.1. Both branches contain the fix (commit 8dc723f). 2. WORKAROUND: Enforce strict input validation before TF ops — reject images where num_frames × height × width × channels ≥ 2^31. Add server-side dimension caps (e.g., max 1920×1080, max 300 frames). 3. DETECTION: Monitor for repeated crashes or OOM errors in TF Serving logs with large image payloads. Alert on process restarts in model-serving pods. 4. HARDENING: Run TF Serving in isolated containers with resource limits and automatic restart policies to minimize blast radius. 5. DEPENDENCY AUDIT: Scan requirements.txt / conda environments across ML repos for pinned tensorflow < 2.11.1.

What systems are affected by CVE-2023-25667?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, batch inference, computer vision APIs.

What is the CVSS score for CVE-2023-25667?

CVE-2023-25667 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, integer overflow occurs when `2^31 <= num_frames * height * width * channels < 2^32`, for example Full HD screencast of at least 346 frames. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary targets a computer vision API endpoint that accepts video uploads for activity recognition or content moderation. They craft a minimal animated GIF or multi-frame TIFF where num_frames × height × width × channels evaluates to approximately 2^31, triggering the integer overflow when TensorFlow decodes the frame buffer. The TF process crashes, taking down the inference service. In a Kubernetes deployment without proper readiness probes, the pod restart cycle can be maintained with repeated requests, creating a sustained DoS. No ML expertise is required — just knowledge of the overflow threshold and basic image format manipulation.