CVE-2023-25675 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow deployment running XLA acceleration is vulnerable to unauthenticated remote crash via malformed Bincount inputs — no privileges or user interaction required. If your ML serving infrastructure exposes TF inference endpoints (TF Serving, custom APIs) with XLA enabled, this is a live availability risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; if patching is delayed, disable XLA compilation as a temporary workaround.

Risk Assessment

High availability risk for production ML inference infrastructure. CVSS 7.5 with network-reachable, zero-auth, low-complexity exploitation makes this trivially weaponizable for DoS. The XLA backend is commonly enabled in production for performance gains, increasing exposure. No confidentiality or integrity impact, but repeated crashes of ML serving endpoints can cause SLA breaches and disrupt AI-powered products. Not in CISA KEV and no known active exploitation, but the barrier to exploit is extremely low.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 43% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Upgrade TensorFlow to 2.12.0 (latest stable) or 2.11.1 (backport). Verify via pip show tensorflow or tf.__version__.
WORKAROUND (if patch not immediately feasible): Disable XLA by setting TF_XLA_FLAGS=--tf_xla_enable_xla_devices=false or avoid jit_compile=True in model/layer definitions.
INPUT VALIDATION

At serving layer, validate that Bincount weights inputs are either empty or match arr shape before passing to model.
DETECTION

Monitor for abnormal TF Serving process restarts or container crashes — repeated segfaults targeting Bincount with mismatched shapes are a strong indicator.
INVENTORY

Audit all TF versions in use across training, serving, and pipeline infrastructure.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Framework Inference AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain and manage AI system risks

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2023-25675?

Any TensorFlow deployment running XLA acceleration is vulnerable to unauthenticated remote crash via malformed Bincount inputs — no privileges or user interaction required. If your ML serving infrastructure exposes TF inference endpoints (TF Serving, custom APIs) with XLA enabled, this is a live availability risk. Patch to TensorFlow 2.12.0 or 2.11.1 immediately; if patching is delayed, disable XLA compilation as a temporary workaround.

Is CVE-2023-25675 actively exploited?

No confirmed active exploitation of CVE-2023-25675 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25675?

1. PATCH: Upgrade TensorFlow to 2.12.0 (latest stable) or 2.11.1 (backport). Verify via `pip show tensorflow` or `tf.__version__`. 2. WORKAROUND (if patch not immediately feasible): Disable XLA by setting `TF_XLA_FLAGS=--tf_xla_enable_xla_devices=false` or avoid `jit_compile=True` in model/layer definitions. 3. INPUT VALIDATION: At serving layer, validate that Bincount `weights` inputs are either empty or match `arr` shape before passing to model. 4. DETECTION: Monitor for abnormal TF Serving process restarts or container crashes — repeated segfaults targeting Bincount with mismatched shapes are a strong indicator. 5. INVENTORY: Audit all TF versions in use across training, serving, and pipeline infrastructure.

What systems are affected by CVE-2023-25675?

This vulnerability affects the following AI/ML architecture patterns: model serving, training pipelines, ML inference APIs.

What is the CVSS score for CVE-2023-25675?

CVE-2023-25675 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

TensorFlow is an open source machine learning platform. When running versions prior to 2.12.0 and 2.11.1 with XLA, `tf.raw_ops.Bincount` segfaults when given a parameter `weights` that is neither the same shape as parameter `arr` nor a length-0 tensor. A fix is included in TensorFlow 2.12.0 and 2.11.1.

Exploitation Scenario

An adversary targeting a company's AI-powered product identifies a TensorFlow Serving endpoint via API reconnaissance. They craft an inference request that triggers the Bincount operation (e.g., via a model that uses frequency-counting preprocessing) with a weights parameter of shape [5] while arr has shape [10]. With XLA enabled, this triggers an immediate segfault, crashing the TF Serving process. On Kubernetes, this causes pod restarts; on bare-metal, it requires manual intervention. The adversary automates this in a loop, creating a sustained DoS that degrades the AI product's availability. No authentication, no special knowledge of the model architecture beyond knowing TF+XLA is in use.