CVE-2023-25669: TensorFlow DoS — HIGH

Q: Is CVE-2023-25669 actively exploited?

No confirmed active exploitation of CVE-2023-25669 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2023-25669?

1. Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — patches are available. 2. If patching is delayed, add server-side validation rejecting stride or window_size values <= 0 before any pooling op invocation. 3. Audit all model-serving endpoints for user-controlled tensor shape parameters. 4. Deploy TensorFlow serving in isolated containers with automatic restart policies (systemd restart=always or Kubernetes liveness probes) to minimize DoS window. 5. Monitor TensorFlow serving logs for SIGFPE signals as an indicator of active exploitation attempts.

Q: What systems are affected by CVE-2023-25669?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference.

Q: What is the CVSS score for CVE-2023-25669?

CVE-2023-25669 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

CISO Take

An unauthenticated remote attacker can crash TensorFlow services by sending zero or negative stride/window size parameters to AvgPoolGrad operations, triggering a floating point exception. Any TensorFlow-based inference or training service accepting user-controlled tensor parameters is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately and enforce server-side input validation at all API boundaries.

What is the risk?

High risk for organizations running TensorFlow model serving endpoints that accept user-controlled parameters. CVSS 7.5 with network vector, low complexity, and no authentication required makes this readily exploitable. Impact is availability-only with no data exposure, but service disruption to production ML inference pipelines carries significant operational consequence. Risk is substantially reduced when TensorFlow ops are invoked only from trusted internal services with validated inputs.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 31% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — patches are available.
If patching is delayed, add server-side validation rejecting stride or window_size values <= 0 before any pooling op invocation.
Audit all model-serving endpoints for user-controlled tensor shape parameters.
Deploy TensorFlow serving in isolated containers with automatic restart policies (systemd restart=always or Kubernetes liveness probes) to minimize DoS window.
Monitor TensorFlow serving logs for SIGFPE signals as an indicator of active exploitation attempts.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0043 - Craft Adversarial Data AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

8.1 - Operational planning and control

NIST AI RMF

MANAGE-2.2 - Mechanisms to detect, respond to, and recover from AI failures

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2023-25669?

An unauthenticated remote attacker can crash TensorFlow services by sending zero or negative stride/window size parameters to AvgPoolGrad operations, triggering a floating point exception. Any TensorFlow-based inference or training service accepting user-controlled tensor parameters is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately and enforce server-side input validation at all API boundaries.

Is CVE-2023-25669 actively exploited?

No confirmed active exploitation of CVE-2023-25669 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25669?

1. Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — patches are available. 2. If patching is delayed, add server-side validation rejecting stride or window_size values <= 0 before any pooling op invocation. 3. Audit all model-serving endpoints for user-controlled tensor shape parameters. 4. Deploy TensorFlow serving in isolated containers with automatic restart policies (systemd restart=always or Kubernetes liveness probes) to minimize DoS window. 5. Monitor TensorFlow serving logs for SIGFPE signals as an indicator of active exploitation attempts.

What systems are affected by CVE-2023-25669?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference.

What is the CVSS score for CVE-2023-25669?

CVE-2023-25669 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servinginference

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0043 Craft Adversarial Data

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: 8.1

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for `tf.raw_ops.AvgPoolGrad`, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An attacker identifies a TensorFlow model-serving endpoint (TF Serving REST API, custom Flask/FastAPI wrapper, or fine-tuning service) that accepts user-submitted models or tensor inputs. By uploading a model containing an AvgPoolGrad operation with stride=0 or window_size=0, or by directly invoking tf.raw_ops.AvgPoolGrad with crafted parameters via the API, the attacker triggers a floating point exception (SIGFPE) that immediately crashes the TensorFlow process. Since no authentication is required and complexity is low, the attacker can repeat this in a loop to maintain persistent denial of service against the ML infrastructure.