CVE-2023-25671: TensorFlow OOB write DoS

CISO Take

A network-accessible crash in TensorFlow requires no authentication and no user interaction — any exposed inference endpoint is at risk of being taken down with a crafted request. The impact is availability-only (no data exfiltration), but a downed ML serving layer can cascade into production outages. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is delayed, isolate TF serving endpoints behind authenticated API gateways.

What is the risk?

High operational risk for teams running TensorFlow-based inference in production, especially if serving endpoints are internet-facing or accessible by untrusted clients. CVSS 7.5 reflects the combination of zero authentication barrier and network accessibility. Blast radius is limited to availability — no confidentiality or integrity impact — but for real-time inference pipelines (fraud detection, content moderation, LLM backends), service disruption has direct business impact. Exploitation is straightforward once the triggering input is identified, lowering the effective bar for threat actors targeting AI infrastructure.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.5%

chance of exploitation in 30 days

Higher than 40% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Upgrade to TensorFlow 2.12.0 (stable) or 2.11.1 (patch release) immediately. Verify installed version with pip show tensorflow or conda list tensorflow.
ISOLATE

If patching is not immediately possible, place TF serving endpoints behind an authenticated API gateway or mTLS layer to require valid credentials before requests reach TF ops.
INPUT VALIDATION

Implement tensor shape and dtype validation at the API boundary before passing inputs to TF operations — reject requests with mismatched integer types.
MONITOR

Alert on unexpected process crashes or restarts in TF serving containers (SIGABRT, SIGSEGV signals). Correlate with source IPs sending malformed tensor requests.
CONTAINER HYGIENE

Ensure TF containers run as non-root with resource limits so a crash does not escalate to host-level impact.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity of high-risk AI systems Article 9 - Risk management system for high-risk AI

ISO 42001

8.4 - AI system risk assessment and treatment 9.1 - Monitoring, measurement, analysis and evaluation of AI systems

NIST AI RMF

GOVERN-1.1 - Policies, processes, and practices for AI risk management MANAGE-2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insecure Design in Infrastructure

Frequently Asked Questions

What is CVE-2023-25671?

A network-accessible crash in TensorFlow requires no authentication and no user interaction — any exposed inference endpoint is at risk of being taken down with a crafted request. The impact is availability-only (no data exfiltration), but a downed ML serving layer can cascade into production outages. Patch immediately to TensorFlow 2.12.0 or 2.11.1; if patching is delayed, isolate TF serving endpoints behind authenticated API gateways.

Is CVE-2023-25671 actively exploited?

No confirmed active exploitation of CVE-2023-25671 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25671?

1. PATCH: Upgrade to TensorFlow 2.12.0 (stable) or 2.11.1 (patch release) immediately. Verify installed version with `pip show tensorflow` or `conda list tensorflow`. 2. ISOLATE: If patching is not immediately possible, place TF serving endpoints behind an authenticated API gateway or mTLS layer to require valid credentials before requests reach TF ops. 3. INPUT VALIDATION: Implement tensor shape and dtype validation at the API boundary before passing inputs to TF operations — reject requests with mismatched integer types. 4. MONITOR: Alert on unexpected process crashes or restarts in TF serving containers (SIGABRT, SIGSEGV signals). Correlate with source IPs sending malformed tensor requests. 5. CONTAINER HYGIENE: Ensure TF containers run as non-root with resource limits so a crash does not escalate to host-level impact.

What systems are affected by CVE-2023-25671?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, training pipelines, MLOps orchestration.

What is the CVSS score for CVE-2023-25671?

CVE-2023-25671 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.52%.

What is the AI security impact?

Affected AI Architectures

model servinginference pipelinestraining pipelinesMLOps orchestration

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0029 Denial of AI Service

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: 8.4, 9.1

NIST AI RMF: GOVERN-1.1, MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. There is out-of-bounds access due to mismatched integer type sizes. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary targets a publicly accessible TensorFlow Serving endpoint (common in production MLOps stacks). They submit a crafted inference request containing a tensor with deliberately mismatched integer type sizes — exploiting the integer type mismatch flaw — which triggers an out-of-bounds write in the C++ TF runtime. The result is a process crash (SIGABRT/SIGSEGV), taking down the serving instance. In a horizontally scaled deployment, the attacker repeats requests to each pod. With no rate limiting or input validation, this constitutes a sustained, low-cost denial of service against the ML inference layer — no credentials, no prior access, no ML expertise required beyond knowing the target runs TF.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.