AI Threat Alert AI Threat Alert

CVE-2023-25669: TensorFlow: DoS via AvgPoolGrad invalid stride params

HIGH
Published March 25, 2023
CISO Take

An unauthenticated remote attacker can crash TensorFlow services by sending zero or negative stride/window size parameters to AvgPoolGrad operations, triggering a floating point exception. Any TensorFlow-based inference or training service accepting user-controlled tensor parameters is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately and enforce server-side input validation at all API boundaries.

Risk Assessment

High risk for organizations running TensorFlow model serving endpoints that accept user-controlled parameters. CVSS 7.5 with network vector, low complexity, and no authentication required makes this readily exploitable. Impact is availability-only with no data exposure, but service disruption to production ML inference pipelines carries significant operational consequence. Risk is substantially reduced when TensorFlow ops are invoked only from trusted internal services with validated inputs.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — patches are available.

  2. If patching is delayed, add server-side validation rejecting stride or window_size values <= 0 before any pooling op invocation.

  3. Audit all model-serving endpoints for user-controlled tensor shape parameters.

  4. Deploy TensorFlow serving in isolated containers with automatic restart policies (systemd restart=always or Kubernetes liveness probes) to minimize DoS window.

  5. Monitor TensorFlow serving logs for SIGFPE signals as an indicator of active exploitation attempts.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 AML.T0043 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
8.1 - Operational planning and control
NIST AI RMF
MANAGE-2.2 - Mechanisms to detect, respond to, and recover from AI failures
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2023-25669?

An unauthenticated remote attacker can crash TensorFlow services by sending zero or negative stride/window size parameters to AvgPoolGrad operations, triggering a floating point exception. Any TensorFlow-based inference or training service accepting user-controlled tensor parameters is at risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately and enforce server-side input validation at all API boundaries.

Is CVE-2023-25669 actively exploited?

No confirmed active exploitation of CVE-2023-25669 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25669?

1. Upgrade TensorFlow to 2.12.0 or 2.11.1 immediately — patches are available. 2. If patching is delayed, add server-side validation rejecting stride or window_size values <= 0 before any pooling op invocation. 3. Audit all model-serving endpoints for user-controlled tensor shape parameters. 4. Deploy TensorFlow serving in isolated containers with automatic restart policies (systemd restart=always or Kubernetes liveness probes) to minimize DoS window. 5. Monitor TensorFlow serving logs for SIGFPE signals as an indicator of active exploitation attempts.

What systems are affected by CVE-2023-25669?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, inference.

What is the CVSS score for CVE-2023-25669?

CVE-2023-25669 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Prior to versions 2.12.0 and 2.11.1, if the stride and window size are not positive for `tf.raw_ops.AvgPoolGrad`, it can give a floating point exception. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An attacker identifies a TensorFlow model-serving endpoint (TF Serving REST API, custom Flask/FastAPI wrapper, or fine-tuning service) that accepts user-submitted models or tensor inputs. By uploading a model containing an AvgPoolGrad operation with stride=0 or window_size=0, or by directly invoking tf.raw_ops.AvgPoolGrad with crafted parameters via the API, the attacker triggers a floating point exception (SIGFPE) that immediately crashes the TensorFlow process. Since no authentication is required and complexity is low, the attacker can repeat this in a loop to maintain persistent denial of service against the ML infrastructure.

Weaknesses (CWE)

CWE-697

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 25, 2023
Last Modified
November 21, 2024
First Seen
March 25, 2023

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed