CVE-2023-25672 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

An unauthenticated attacker can crash any TensorFlow inference service that exposes LookupTableImportV2 by sending a scalar value in the `values` parameter. If your org runs TF Serving or custom TF inference APIs on the network, this is a one-request crash with no special skill required. Patch to TF 2.12.0 or 2.11.1 and validate input shapes at the API boundary.

Risk Assessment

High severity DoS with the worst possible access characteristics: network-reachable, no authentication, no user interaction, trivial to reproduce. Impact is limited to availability — no data exposure or code execution — but crashing ML inference processes can halt AI-dependent business workflows (fraud detection, recommendations, NLP pipelines). Risk is materially elevated for any org with public-facing TF serving endpoints without input validation or request filtering.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

Patch immediately: upgrade to TensorFlow 2.12.0 or the backport 2.11.1.
Short-term workaround: add input shape validation at the serving layer — reject requests where values has ndim == 0 before forwarding to TF.
Network hardening: restrict access to TF Serving gRPC/REST ports (default 8500/8501) to internal networks or authenticated callers only.
Detection: monitor TF Serving logs and process crash metrics — repeated NPE-triggered restarts in the LookupTableImportV2 path are a strong signal of exploitation attempts.
Validate downstream: audit any model endpoints using lookup table operations and confirm patched TF version is deployed.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain and update deployed AI systems

OWASP LLM Top 10

LLM05:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-25672?

An unauthenticated attacker can crash any TensorFlow inference service that exposes LookupTableImportV2 by sending a scalar value in the `values` parameter. If your org runs TF Serving or custom TF inference APIs on the network, this is a one-request crash with no special skill required. Patch to TF 2.12.0 or 2.11.1 and validate input shapes at the API boundary.

Is CVE-2023-25672 actively exploited?

No confirmed active exploitation of CVE-2023-25672 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25672?

1. Patch immediately: upgrade to TensorFlow 2.12.0 or the backport 2.11.1. 2. Short-term workaround: add input shape validation at the serving layer — reject requests where `values` has ndim == 0 before forwarding to TF. 3. Network hardening: restrict access to TF Serving gRPC/REST ports (default 8500/8501) to internal networks or authenticated callers only. 4. Detection: monitor TF Serving logs and process crash metrics — repeated NPE-triggered restarts in the `LookupTableImportV2` path are a strong signal of exploitation attempts. 5. Validate downstream: audit any model endpoints using lookup table operations and confirm patched TF version is deployed.

What systems are affected by CVE-2023-25672?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference pipelines.

What is the CVSS score for CVE-2023-25672?

CVE-2023-25672 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.10%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. The function `tf.raw_ops.LookupTableImportV2` cannot handle scalars in the `values` parameter and gives an NPE. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An adversary scanning for TensorFlow Serving endpoints (port 8500/8501) sends a crafted gRPC or REST predict request targeting a model that internally invokes `LookupTableImportV2`. The payload passes a scalar tensor (rank-0) as the `values` parameter instead of a rank-1+ tensor. TF fails to handle the shape mismatch, dereferences a null pointer, and the serving process crashes. Against a recommendation system or NLP classification API processing real-time requests, an attacker can sustain service disruption by automating these requests faster than process restarts. In a Kubernetes deployment without proper liveness probes, this can trigger a crash loop that takes the entire inference deployment offline.