CVE-2025-0649 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any TensorFlow Serving instance ≤2.18.0 with a network-accessible REST endpoint can be crashed by an unauthenticated attacker sending a single malformed JSON request — no ML knowledge required. Apply the patch commit immediately and, as a defense-in-depth measure, enforce JSON depth limits at the API gateway. If you cannot patch now, restrict TF Serving endpoints to internal networks or authenticated callers only.

Risk Assessment

High risk for organizations exposing TensorFlow Serving inference endpoints to untrusted networks. CVSS 7.5 with AV:N/AC:L/PR:N/UI:N means this is trivially exploitable by any internet-connected attacker. Impact is limited to availability — no data exfiltration or code execution — but repeated crashes of inference infrastructure cause direct business disruption and can cascade to downstream systems consuming model predictions. Not in CISA KEV, no confirmed active exploitation, but the low barrier to exploit makes opportunistic attacks likely.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow_serving	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow_serving? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 34% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

5 steps

PATCH

Apply commit 6cb013167d13f2ed3930aabb86dbc2c8c53f5adf from the tensorflow/serving repo immediately. No official patched release version is confirmed in the advisory — verify against your build.
NETWORK

Restrict TF Serving REST API ports to internal networks or require authenticated proxies (NGINX/Envoy with auth). Never expose raw TF Serving endpoints to the public internet.
GATEWAY

Implement JSON payload validation at the API gateway layer — enforce max nesting depth (recommend ≤10 levels) and max payload size.
MONITORING

Alert on sudden TF Serving process crashes or restarts. Log and inspect requests that arrive immediately before crashes.
DETECTION

Scan JSON inputs for recursive or deeply nested structures; a payload with nesting depth >20 is anomalous for typical inference requests.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

DoS Inference API Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.3 - AI System Operation and Monitoring

NIST AI RMF

MANAGE-2.2 - AI Risk Monitoring and Response

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2025-0649?

Any TensorFlow Serving instance ≤2.18.0 with a network-accessible REST endpoint can be crashed by an unauthenticated attacker sending a single malformed JSON request — no ML knowledge required. Apply the patch commit immediately and, as a defense-in-depth measure, enforce JSON depth limits at the API gateway. If you cannot patch now, restrict TF Serving endpoints to internal networks or authenticated callers only.

Is CVE-2025-0649 actively exploited?

No confirmed active exploitation of CVE-2025-0649 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-0649?

1. PATCH: Apply commit 6cb013167d13f2ed3930aabb86dbc2c8c53f5adf from the tensorflow/serving repo immediately. No official patched release version is confirmed in the advisory — verify against your build. 2. NETWORK: Restrict TF Serving REST API ports to internal networks or require authenticated proxies (NGINX/Envoy with auth). Never expose raw TF Serving endpoints to the public internet. 3. GATEWAY: Implement JSON payload validation at the API gateway layer — enforce max nesting depth (recommend ≤10 levels) and max payload size. 4. MONITORING: Alert on sudden TF Serving process crashes or restarts. Log and inspect requests that arrive immediately before crashes. 5. DETECTION: Scan JSON inputs for recursive or deeply nested structures; a payload with nesting depth >20 is anomalous for typical inference requests.

What systems are affected by CVE-2025-0649?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, ML inference pipelines, real-time prediction services.

What is the CVSS score for CVE-2025-0649?

CVE-2025-0649 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.14%.

Technical Details

NVD Description

Incorrect JSON input stringification in Google's Tensorflow serving versions up to 2.18.0 allows for potentially unbounded recursion leading to server crash.

Exploitation Scenario

An attacker targets an organization's public-facing TensorFlow Serving REST endpoint (typically port 8501). They craft a minimal HTTP POST request to /v1/models/<model_name>:predict containing a JSON body with deeply nested objects or arrays — e.g., {"instances": [{"a": {"a": {"a": ... (500+ levels deep)}}}]}. When TF Serving attempts to stringify this input for logging or validation, it enters unbounded recursion in the C++ JSON processing code, triggering a stack overflow (CWE-121). The serving process crashes immediately. The attacker repeats this at low rate to prevent recovery, achieving sustained denial of service against all models hosted on the instance. No credentials, no ML knowledge, and no interaction from legitimate users is required.