AI Threat Alert AI Threat Alert

CVE-2023-25671: TensorFlow: OOB write DoS via integer type mismatch

HIGH
Published March 25, 2023
CISO Take

A network-accessible crash in TensorFlow requires no authentication and no user interaction — any exposed inference endpoint is at risk of being taken down with a crafted request. The impact is availability-only (no data exfiltration), but a downed ML serving layer can cascade into production outages. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is delayed, isolate TF serving endpoints behind authenticated API gateways.

Risk Assessment

High operational risk for teams running TensorFlow-based inference in production, especially if serving endpoints are internet-facing or accessible by untrusted clients. CVSS 7.5 reflects the combination of zero authentication barrier and network accessibility. Blast radius is limited to availability — no confidentiality or integrity impact — but for real-time inference pipelines (fraud detection, content moderation, LLM backends), service disruption has direct business impact. Exploitation is straightforward once the triggering input is identified, lowering the effective bar for threat actors targeting AI infrastructure.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
7.5 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 55% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Moderate

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to TensorFlow 2.12.0 (stable) or 2.11.1 (patch release) immediately. Verify installed version with pip show tensorflow or conda list tensorflow.

  2. ISOLATE

    If patching is not immediately possible, place TF serving endpoints behind an authenticated API gateway or mTLS layer to require valid credentials before requests reach TF ops.

  3. INPUT VALIDATION

    Implement tensor shape and dtype validation at the API boundary before passing inputs to TF operations — reject requests with mismatched integer types.

  4. MONITOR

    Alert on unexpected process crashes or restarts in TF serving containers (SIGABRT, SIGSEGV signals). Correlate with source IPs sending malformed tensor requests.

  5. CONTAINER HYGIENE

    Ensure TF containers run as non-root with resource limits so a crash does not escalate to host-level impact.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity of high-risk AI systems Article 9 - Risk management system for high-risk AI
ISO 42001
8.4 - AI system risk assessment and treatment 9.1 - Monitoring, measurement, analysis and evaluation of AI systems
NIST AI RMF
GOVERN-1.1 - Policies, processes, and practices for AI risk management MANAGE-2.2 - Mechanisms are in place to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Insecure Design in Infrastructure

Frequently Asked Questions

What is CVE-2023-25671?

A network-accessible crash in TensorFlow requires no authentication and no user interaction — any exposed inference endpoint is at risk of being taken down with a crafted request. The impact is availability-only (no data exfiltration), but a downed ML serving layer can cascade into production outages. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is delayed, isolate TF serving endpoints behind authenticated API gateways.

Is CVE-2023-25671 actively exploited?

No confirmed active exploitation of CVE-2023-25671 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25671?

1. PATCH: Upgrade to TensorFlow 2.12.0 (stable) or 2.11.1 (patch release) immediately. Verify installed version with `pip show tensorflow` or `conda list tensorflow`. 2. ISOLATE: If patching is not immediately possible, place TF serving endpoints behind an authenticated API gateway or mTLS layer to require valid credentials before requests reach TF ops. 3. INPUT VALIDATION: Implement tensor shape and dtype validation at the API boundary before passing inputs to TF operations — reject requests with mismatched integer types. 4. MONITOR: Alert on unexpected process crashes or restarts in TF serving containers (SIGABRT, SIGSEGV signals). Correlate with source IPs sending malformed tensor requests. 5. CONTAINER HYGIENE: Ensure TF containers run as non-root with resource limits so a crash does not escalate to host-level impact.

What systems are affected by CVE-2023-25671?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines, MLOps orchestration.

What is the CVSS score for CVE-2023-25671?

CVE-2023-25671 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.32%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary targets a publicly accessible TensorFlow Serving endpoint (common in production MLOps stacks). They submit a crafted inference request containing a tensor with deliberately mismatched integer type sizes — exploiting the integer type mismatch flaw — which triggers an out-of-bounds write in the C++ TF runtime. The result is a process crash (SIGABRT/SIGSEGV), taking down the serving instance. In a horizontally scaled deployment, the attacker repeats requests to each pod. With no rate limiting or input validation, this constitutes a sustained, low-cost denial of service against the ML inference layer — no credentials, no prior access, no ML expertise required beyond knowing the target runs TF.

Weaknesses (CWE)

CWE-787

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 25, 2023
Last Modified
November 21, 2024
First Seen
March 25, 2023

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed