CVE-2025-0649: TensorFlow JSON recursion DoS on

CISO Take

Any TensorFlow Serving instance ≤2.18.0 with a network-accessible REST endpoint can be crashed by an unauthenticated attacker sending a single malformed JSON request — no ML knowledge required. Apply the patch commit immediately and, as a defense-in-depth measure, enforce JSON depth limits at the API gateway. If you cannot patch now, restrict TF Serving endpoints to internal networks or authenticated callers only.

What is the risk?

High risk for organizations exposing TensorFlow Serving inference endpoints to untrusted networks. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means this is trivially exploitable by any internet-connected attacker. Impact is limited to availability — no data exfiltration or code execution — but repeated crashes of inference infrastructure cause direct business disruption and can cascade to downstream systems consuming model predictions. Not in CISA KEV, no confirmed active exploitation, but the low barrier to exploit makes opportunistic attacks likely.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

7.5 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 8% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

What should I do?

5 steps

PATCH

Apply commit 6cb013167d13f2ed3930aabb86dbc2c8c53f5adf from the tensorflow/serving repo immediately. No official patched release version is confirmed in the advisory — verify against your build.
NETWORK

Restrict TF Serving REST API ports to internal networks or require authenticated proxies (NGINX/Envoy with auth). Never expose raw TF Serving endpoints to the public internet.
GATEWAY

Implement JSON payload validation at the API gateway layer — enforce max nesting depth (recommend ≤10 levels) and max payload size.
MONITORING

Alert on sudden TF Serving process crashes or restarts. Log and inspect requests that arrive immediately before crashes.
DETECTION

Scan JSON inputs for recursive or deeply nested structures; a payload with nesting depth >20 is anomalous for typical inference requests.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Inference API Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.3 - AI System Operation and Monitoring

NIST AI RMF

MANAGE-2.2 - AI Risk Monitoring and Response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-0649?

Any TensorFlow Serving instance ≤2.18.0 with a network-accessible REST endpoint can be crashed by an unauthenticated attacker sending a single malformed JSON request — no ML knowledge required. Apply the patch commit immediately and, as a defense-in-depth measure, enforce JSON depth limits at the API gateway. If you cannot patch now, restrict TF Serving endpoints to internal networks or authenticated callers only.

Is CVE-2025-0649 actively exploited?

No confirmed active exploitation of CVE-2025-0649 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-0649?

1. PATCH: Apply commit 6cb013167d13f2ed3930aabb86dbc2c8c53f5adf from the tensorflow/serving repo immediately. No official patched release version is confirmed in the advisory — verify against your build. 2. NETWORK: Restrict TF Serving REST API ports to internal networks or require authenticated proxies (NGINX/Envoy with auth). Never expose raw TF Serving endpoints to the public internet. 3. GATEWAY: Implement JSON payload validation at the API gateway layer — enforce max nesting depth (recommend ≤10 levels) and max payload size. 4. MONITORING: Alert on sudden TF Serving process crashes or restarts. Log and inspect requests that arrive immediately before crashes. 5. DETECTION: Scan JSON inputs for recursive or deeply nested structures; a payload with nesting depth >20 is anomalous for typical inference requests.

What systems are affected by CVE-2025-0649?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, ML inference pipelines, real-time prediction services.

What is the CVSS score for CVE-2025-0649?

CVE-2025-0649 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.18%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIsML inference pipelinesreal-time prediction services

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.9.3

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

Incorrect JSON input stringification in Google's Tensorflow serving versions up to 2.18.0 allows for potentially unbounded recursion leading to server crash.

Exploitation Scenario

An attacker targets an organization's public-facing TensorFlow Serving REST endpoint (typically port 8501). They craft a minimal HTTP POST request to /v1/models/<model_name>:predict containing a JSON body with deeply nested objects or arrays — e.g., {"instances": [{"a": {"a": {"a": ... (500+ levels deep)}}}]}. When TF Serving attempts to stringify this input for logging or validation, it enters unbounded recursion in the C++ JSON processing code, triggering a stack overflow (CWE-121). The serving process crashes immediately. The attacker repeats this at low rate to prevent recovery, achieving sustained denial of service against all models hosted on the instance. No credentials, no ML knowledge, and no interaction from legitimate users is required.

Weaknesses (CWE)

CWE-787 Out-of-bounds Write Primary CWE-121 Stack-based Buffer Overflow

CWE-787 — Out-of-bounds Write: The product writes data past the end, or before the beginning, of the intended buffer.

[Requirements] Use a language that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. For example, many languages that perform their own memory management, such as Java and Perl, are not subject to buffer overflows. Other languages, such as Ada and C#, typically provide overflow protection, but the protection can be disabled by the programmer. Be wary that a language's interface to native code may still be subject to overflows, even if the language itself is theoretically safe.
[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid. Examples include the Safe C String Library (SafeStr) by Messier and Viega [REF-57], and the Strsafe.h library from Microsoft [REF-56]. These libraries provide safer versions of overflow-prone string-handling functions.

Source: MITRE CWE corpus.