AI Threat Alert

CVE-2023-25672: TensorFlow: NPE in LookupTableImportV2 causes DoS

HIGH
Published March 25, 2023
CISO Take

An unauthenticated attacker can crash any TensorFlow inference service that exposes LookupTableImportV2 by sending a scalar value in the `values` parameter. If your org runs TF Serving or custom TF inference APIs on the network, this is a one-request crash with no special skill required. Patch to TF 2.12.0 or 2.11.1 and validate input shapes at the API boundary.

What is the risk?

High severity DoS with the worst possible access characteristics: network-reachable, no authentication, no user interaction, trivial to reproduce. Impact is limited to availability — no data exposure or code execution — but crashing ML inference processes can halt AI-dependent business workflows (fraud detection, recommendations, NLP pipelines). Risk is materially elevated for any org with public-facing TF serving endpoints without input validation or request filtering.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 28% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

5 steps

  1. Patch immediately: upgrade to TensorFlow 2.12.0 or the backport 2.11.1.

  2. Short-term workaround: add input shape validation at the serving layer — reject requests where values has ndim == 0 before forwarding to TF.

  3. Network hardening: restrict access to TF Serving gRPC/REST ports (default 8500/8501) to internal networks or authenticated callers only.

  4. Detection: monitor TF Serving logs and process crash metrics — repeated NPE-triggered restarts in the LookupTableImportV2 path are a strong signal of exploitation attempts.

  5. Validate downstream: audit any model endpoints using lookup table operations and confirm patched TF version is deployed.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Framework Inference AML.T0010.001 AML.T0029 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.3 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain and update deployed AI systems
OWASP LLM Top 10
LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-25672?

An unauthenticated attacker can crash any TensorFlow inference service that exposes LookupTableImportV2 by sending a scalar value in the `values` parameter. If your org runs TF Serving or custom TF inference APIs on the network, this is a one-request crash with no special skill required. Patch to TF 2.12.0 or 2.11.1 and validate input shapes at the API boundary.

Is CVE-2023-25672 actively exploited?

No confirmed active exploitation of CVE-2023-25672 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25672?

1. Patch immediately: upgrade to TensorFlow 2.12.0 or the backport 2.11.1. 2. Short-term workaround: add input shape validation at the serving layer — reject requests where `values` has ndim == 0 before forwarding to TF. 3. Network hardening: restrict access to TF Serving gRPC/REST ports (default 8500/8501) to internal networks or authenticated callers only. 4. Detection: monitor TF Serving logs and process crash metrics — repeated NPE-triggered restarts in the `LookupTableImportV2` path are a strong signal of exploitation attempts. 5. Validate downstream: audit any model endpoints using lookup table operations and confirm patched TF version is deployed.

What systems are affected by CVE-2023-25672?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference pipelines.

What is the CVSS score for CVE-2023-25672?

CVE-2023-25672 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

model servingtraining pipelinesinference pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0029 Denial of AI Service
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.3
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary scanning for TensorFlow Serving endpoints (port 8500/8501) sends a crafted gRPC or REST predict request targeting a model that internally invokes `LookupTableImportV2`. The payload passes a scalar tensor (rank-0) as the `values` parameter instead of a rank-1+ tensor. TF fails to handle the shape mismatch, dereferences a null pointer, and the serving process crashes. Against a recommendation system or NLP classification API processing real-time requests, an attacker can sustain service disruption by automating these requests faster than process restarts. In a Kubernetes deployment without proper liveness probes, this can trigger a crash loop that takes the entire inference deployment offline.

Weaknesses (CWE)

CWE-476 NULL Pointer Dereference

CWE-476 — NULL Pointer Dereference: The product dereferences a pointer that it expects to be valid but is NULL.

  • [Implementation] For any pointers that could have been modified or provided from a function that can return NULL, check the pointer for NULL before use. When working with a multithreaded or otherwise asynchronous environment, ensure that proper locking APIs are used to lock before the check, and unlock when it has finished [REF-1484].
  • [Requirements] Select a programming language that is not susceptible to these issues.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Timeline

Published
March 25, 2023
Last Modified
November 21, 2024
First Seen
March 25, 2023

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed