CVE-2023-25673 — HIGH (CVSS 7.5) AI Security Vulnerability

Q: Is CVE-2023-25673 actively exploited?

No confirmed active exploitation of CVE-2023-25673 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2023-25673?

1. PATCH: Upgrade to TensorFlow 2.12.0 or 2.11.1 — the only definitive fix per the vendor advisory. 2. WORKAROUND: Disable XLA JIT compilation via tf.config.optimizer.set_jit(False) or TF_XLA_FLAGS env var until patching is feasible. 3. INPUT VALIDATION: Add server-side tensor shape and type validation before feeding inputs to XLA-compiled graphs — reject malformed or unexpected tensor list dimensions at the API boundary. 4. RATE LIMITING: Apply request rate limits and circuit breakers on model serving endpoints to reduce DoS impact. 5. DETECTION: Monitor for abnormal process crashes or restarts in TF Serving containers; alert on SIGFPE signals in model serving processes. 6. ISOLATION: Run model serving in isolated containers/processes with automatic restart policies to minimize downtime during exploitation attempts.

Q: What systems are affected by CVE-2023-25673?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints, TPU/XLA-accelerated workloads.

Q: What is the CVSS score for CVE-2023-25673?

CVE-2023-25673 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.28%.

CISO Take

A remotely exploitable floating point exception in TensorFlow's XLA-compiled TensorListSplit operation allows unauthenticated attackers to crash any TF serving endpoint that processes user-controlled tensor inputs — no privileges or interaction required. If your model serving infrastructure runs TF < 2.11.1/2.12.0 with XLA enabled, this is an uptime risk to production inference APIs. Patch immediately or disable XLA compilation as a temporary workaround.

Risk Assessment

High severity for AI/ML production environments. CVSS 7.5 reflects unauthenticated network-accessible DoS with low attack complexity. Internet-facing TF Serving APIs, REST/gRPC model endpoints, and any pipeline that feeds user-controlled data into XLA-compiled graphs are directly exposed. The availability-only impact limits blast radius, but continuous exploitation can take down inference infrastructure with trivial automation. Severity is elevated in regulated environments where model availability underpins compliance SLAs.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

6 steps

PATCH

Upgrade to TensorFlow 2.12.0 or 2.11.1 — the only definitive fix per the vendor advisory.
WORKAROUND

Disable XLA JIT compilation via tf.config.optimizer.set_jit(False) or TF_XLA_FLAGS env var until patching is feasible.
INPUT VALIDATION

Add server-side tensor shape and type validation before feeding inputs to XLA-compiled graphs — reject malformed or unexpected tensor list dimensions at the API boundary.
RATE LIMITING

Apply request rate limits and circuit breakers on model serving endpoints to reduce DoS impact.
DETECTION

Monitor for abnormal process crashes or restarts in TF Serving containers; alert on SIGFPE signals in model serving processes.
ISOLATION

Run model serving in isolated containers/processes with automatic restart policies to minimize downtime during exploitation attempts.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

8.4 - AI System Lifecycle — Vulnerability Management

NIST AI RMF

GOVERN 6.1 - Policies for third-party AI software and dependencies MANAGE 2.2 - Mechanisms to sustain AI system performance and availability

Frequently Asked Questions

What is CVE-2023-25673?

A remotely exploitable floating point exception in TensorFlow's XLA-compiled TensorListSplit operation allows unauthenticated attackers to crash any TF serving endpoint that processes user-controlled tensor inputs — no privileges or interaction required. If your model serving infrastructure runs TF < 2.11.1/2.12.0 with XLA enabled, this is an uptime risk to production inference APIs. Patch immediately or disable XLA compilation as a temporary workaround.

Is CVE-2023-25673 actively exploited?

No confirmed active exploitation of CVE-2023-25673 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25673?

1. PATCH: Upgrade to TensorFlow 2.12.0 or 2.11.1 — the only definitive fix per the vendor advisory. 2. WORKAROUND: Disable XLA JIT compilation via tf.config.optimizer.set_jit(False) or TF_XLA_FLAGS env var until patching is feasible. 3. INPUT VALIDATION: Add server-side tensor shape and type validation before feeding inputs to XLA-compiled graphs — reject malformed or unexpected tensor list dimensions at the API boundary. 4. RATE LIMITING: Apply request rate limits and circuit breakers on model serving endpoints to reduce DoS impact. 5. DETECTION: Monitor for abnormal process crashes or restarts in TF Serving containers; alert on SIGFPE signals in model serving processes. 6. ISOLATION: Run model serving in isolated containers/processes with automatic restart policies to minimize downtime during exploitation attempts.

What systems are affected by CVE-2023-25673?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, inference endpoints, TPU/XLA-accelerated workloads.

What is the CVSS score for CVE-2023-25673?

CVE-2023-25673 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.28%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Versions prior to 2.12.0 and 2.11.1 have a Floating Point Exception in TensorListSplit with XLA. A fix is included in TensorFlow version 2.12.0 and version 2.11.1.

Exploitation Scenario

An attacker identifies a publicly accessible TensorFlow Serving REST API endpoint (common in MLOps platforms, internal AI services, or SaaS products built on TF). Using knowledge of the target model's input schema — obtainable via the model's /v1/models endpoint or error messages — the attacker crafts a request containing a TensorList with edge-case numeric parameters that trigger the XLA TensorListSplit division-by-zero or invalid comparison. The FPE signal crashes the serving worker process. The attacker automates this with a simple curl/Python script to continuously restart-crash the server, achieving sustained DoS. No authentication, no ML expertise beyond basic TF API knowledge required.