CVE-2023-5245 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

MLeap's FileUtil.extract() is vulnerable to zip slip, allowing arbitrary file writes when loading TensorFlow SavedModel artifacts — trivially exploitable with no authentication required. Any ML pipeline that loads external or untrusted models via MLeap is at critical risk of full host compromise. Immediately audit mleap usage, apply the PR #866 patch, and sandbox all model loading operations.

Risk Assessment

Maximum exploitability: CVSS 9.8, network-accessible, no authentication, no user interaction required. Zip slip is a well-understood attack class requiring zero ML expertise — any attacker who can deliver a malicious model file achieves RCE. ML serving environments frequently run with elevated privileges and broad filesystem access, dramatically amplifying the blast radius beyond the model loading process itself.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mleap	—	—	No patch

Do you use mleap? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 61% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

1 step

1) Patch: Apply fix from mleap PR #866 immediately. 2) Inventory: Identify all services using mleap TensorflowModel with saved_model format — check pom.xml, requirements, and Dockerfiles. 3) Sandbox: Run model loading in isolated containers with read-only root filesystems and explicitly scoped writable mounts. 4) Integrity: Enforce cryptographic signature verification (e.g., Sigstore/cosign) on all model artifacts before loading. 5) Least privilege: Model serving processes should run as unprivileged users with no write access outside designated model directories. 6) Detection: Alert on unexpected file writes from model serving processes, particularly to /etc, cron paths, SSH directories, or application roots.

Classification

Supply Chain Code Execution Framework Model AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Risk treatment for AI components

OWASP LLM Top 10

LLM05:2023 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-5245?

MLeap's FileUtil.extract() is vulnerable to zip slip, allowing arbitrary file writes when loading TensorFlow SavedModel artifacts — trivially exploitable with no authentication required. Any ML pipeline that loads external or untrusted models via MLeap is at critical risk of full host compromise. Immediately audit mleap usage, apply the PR #866 patch, and sandbox all model loading operations.

Is CVE-2023-5245 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-5245, increasing the risk of exploitation.

How to fix CVE-2023-5245?

1) Patch: Apply fix from mleap PR #866 immediately. 2) Inventory: Identify all services using mleap TensorflowModel with saved_model format — check pom.xml, requirements, and Dockerfiles. 3) Sandbox: Run model loading in isolated containers with read-only root filesystems and explicitly scoped writable mounts. 4) Integrity: Enforce cryptographic signature verification (e.g., Sigstore/cosign) on all model artifacts before loading. 5) Least privilege: Model serving processes should run as unprivileged users with no write access outside designated model directories. 6) Detection: Alert on unexpected file writes from model serving processes, particularly to /etc, cron paths, SSH directories, or application roots.

What systems are affected by CVE-2023-5245?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps/CI-CD pipelines, training pipelines, inference pipelines.

What is the CVSS score for CVE-2023-5245?

CVE-2023-5245 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.41%.

Technical Details

NVD Description

FileUtil.extract() enumerates all zip file entries and extracts each file without validating whether file paths in the archive are outside the intended directory. When creating an instance of TensorflowModel using the saved_model format and an exported tensorflow model, the apply() function invokes the vulnerable implementation of FileUtil.extract(). Arbitrary file creation can directly lead to code execution

Exploitation Scenario

An adversary crafts a malicious TensorFlow SavedModel archive where zip entries contain path traversal sequences (e.g., ../../etc/cron.d/backdoor or ../../root/.ssh/authorized_keys). The archive is published to a public model hub (HuggingFace, MLflow registry) or injected into a CI/CD pipeline via a compromised upstream dependency. When a victim's ML serving infrastructure calls apply() to load the model via MLeap, FileUtil.extract() blindly extracts all entries — writing attacker-controlled files to arbitrary host locations. No authentication to the victim system is required; the exploit fires the moment the model is loaded, achieving persistent RCE via cron or immediate execution via overwritten application binaries.