CVE-2023-25674 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

A remotely exploitable null pointer dereference in TensorFlow's RandomShuffle op (XLA mode) allows any unauthenticated attacker to crash TensorFlow workloads — training jobs, preprocessing pipelines, or inference servers. No authentication or special privileges needed; low complexity to trigger. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; if you cannot patch now, disable XLA compilation as a stopgap.

Risk Assessment

CVSS 7.5 (High) with AV:N/AC:L/PR:N/UI:N makes this trivially exploitable from the network against any exposed TensorFlow endpoint. Impact is limited to availability (A:H); no confidentiality or integrity risk. Exploitability is high but blast radius is limited to service disruption — no data exfiltration or code execution path. Risk elevates significantly in production inference APIs or multi-tenant ML platforms where uptime is critical and the XLA compiler is enabled for performance.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 60% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade to TensorFlow 2.12.0 or 2.11.1 (fix: commit 728113a3). This is the only complete remediation.
WORKAROUND (pre-patch): Set TF_XLA_FLAGS='--tf_xla_auto_jit=0' or disable XLA via tf.config.optimizer.set_jit(False) to prevent null pointer trigger.
DETECT

Monitor TensorFlow processes for unexpected crashes or SIGSEGV/SIGABRT signals. Alert on abnormal process restarts in inference serving infrastructure.
NETWORK CONTROLS

If TensorFlow Serving is not public-facing, restrict API access to authorized internal clients only via network policy.
VERIFY EXPOSURE

Audit all deployments for XLA enablement — tf.function with jit_compile=True, TPU workloads, and any use of tf.xla.experimental.compile.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference Training Data AML.T0010.001 - AI Software AML.T0029 - Denial of AI Service AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system — technical robustness

ISO 42001

A.6.2 - AI system lifecycle — operational resilience

NIST AI RMF

RMF.GOVERN-6.2 - AI risk identification — third-party and open-source dependencies RMF.MANAGE-2.4 - Incident response and recovery for AI systems

Frequently Asked Questions

What is CVE-2023-25674?

A remotely exploitable null pointer dereference in TensorFlow's RandomShuffle op (XLA mode) allows any unauthenticated attacker to crash TensorFlow workloads — training jobs, preprocessing pipelines, or inference servers. No authentication or special privileges needed; low complexity to trigger. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; if you cannot patch now, disable XLA compilation as a stopgap.

Is CVE-2023-25674 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25674, increasing the risk of exploitation.

How to fix CVE-2023-25674?

1. PATCH: Upgrade to TensorFlow 2.12.0 or 2.11.1 (fix: commit 728113a3). This is the only complete remediation. 2. WORKAROUND (pre-patch): Set TF_XLA_FLAGS='--tf_xla_auto_jit=0' or disable XLA via tf.config.optimizer.set_jit(False) to prevent null pointer trigger. 3. DETECT: Monitor TensorFlow processes for unexpected crashes or SIGSEGV/SIGABRT signals. Alert on abnormal process restarts in inference serving infrastructure. 4. NETWORK CONTROLS: If TensorFlow Serving is not public-facing, restrict API access to authorized internal clients only via network policy. 5. VERIFY EXPOSURE: Audit all deployments for XLA enablement — tf.function with jit_compile=True, TPU workloads, and any use of tf.xla.experimental.compile.

What systems are affected by CVE-2023-25674?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, data preprocessing pipelines, distributed training clusters.

What is the CVSS score for CVE-2023-25674?

CVE-2023-25674 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.39%.

Technical Details

NVD Description

TensorFlow is an open source machine learning platform. Versions prior to 2.12.0 and 2.11.1 have a null pointer error in RandomShuffle with XLA enabled. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An adversary identifies a public-facing TensorFlow Serving instance (e.g., a model inference API) or gains access to an ML training platform API. They craft a model inference request or inject a malicious training input that triggers the RandomShuffle operation with XLA compilation active. The null pointer dereference causes the TensorFlow runtime to crash (SIGSEGV), bringing down the serving process. In a Kubernetes or cloud ML environment, this triggers pod restarts, potentially causing a denial-of-service loop if the attacker can repeatedly submit malicious requests faster than the service recovers. In a training context, the adversary crashes distributed training workers, causing expensive multi-hour job failures and forcing costly re-runs.