AI Threat Alert

CVE-2025-55556: TensorFlow: non-deterministic compilation breaks Embedding

MEDIUM PoC AVAILABLE
Published September 25, 2025
CISO Take

TensorFlow 2.18.0 silently corrupts Embedding layer outputs during JIT compilation, producing random results without raising errors. Production AI systems using embeddings — NLP, recommendations, RAG retrievers — should treat outputs as untrustworthy until patched. The no-auth network-accessible vector means any internet-exposed TF serving endpoint is in scope.

What is the risk?

Medium risk, but with a compliance tail that punches above its CVSS weight. The silent integrity failure mode is more dangerous than a crash: corrupted embedding vectors propagate downstream — through ranking, classification, or retrieval — without triggering alerts. For regulated AI deployments under EU AI Act or ISO 42001, this constitutes a documented robustness failure requiring formal risk treatment regardless of whether active exploitation is observed.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
TensorFlow pip No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 3d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 6% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I Low
A Low

What should I do?

5 steps

  1. Audit all environments for TensorFlow 2.18.0 — treat any Embedding-based production model as suspect until verified.

  2. Immediate workaround: disable XLA JIT via tf.config.optimizer.set_jit(False) for Embedding-heavy models.

  3. Add embedding output validation to serving pipelines: check norm distributions, detect NaN/Inf, flag statistical outliers against baseline.

  4. Track https://github.com/tensorflow/tensorflow/issues/82317 for official patch timeline.

  5. Add determinism regression tests in CI/CD for any model using Embedding layers.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Supply Chain DoS Framework Inference AML.T0010.001 AML.T0031 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system reliability and robustness
NIST AI RMF
RV 2.1 - Evaluate AI system trustworthiness — reliability
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-55556?

TensorFlow 2.18.0 silently corrupts Embedding layer outputs during JIT compilation, producing random results without raising errors. Production AI systems using embeddings — NLP, recommendations, RAG retrievers — should treat outputs as untrustworthy until patched. The no-auth network-accessible vector means any internet-exposed TF serving endpoint is in scope.

Is CVE-2025-55556 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55556, increasing the risk of exploitation.

How to fix CVE-2025-55556?

1. Audit all environments for TensorFlow 2.18.0 — treat any Embedding-based production model as suspect until verified. 2. Immediate workaround: disable XLA JIT via tf.config.optimizer.set_jit(False) for Embedding-heavy models. 3. Add embedding output validation to serving pipelines: check norm distributions, detect NaN/Inf, flag statistical outliers against baseline. 4. Track https://github.com/tensorflow/tensorflow/issues/82317 for official patch timeline. 5. Add determinism regression tests in CI/CD for any model using Embedding layers.

What systems are affected by CVE-2025-55556?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, NLP/transformer pipelines, recommendation systems, RAG pipelines.

What is the CVSS score for CVE-2025-55556?

CVE-2025-55556 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.16%.

What is the AI security impact?

Affected AI Architectures

training pipelinesmodel servingNLP/transformer pipelinesrecommendation systemsRAG pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0031 Erode AI Model Integrity
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.5
NIST AI RMF: RV 2.1
OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow v2.18.0 was discovered to output random results when compiling Embedding, leading to unexpected behavior in the application.

Exploitation Scenario

An adversary targeting an organization's TF-based recommendation or NLP service sends inference requests that trigger Embedding JIT compilation on TensorFlow 2.18.0. The resulting non-deterministic outputs corrupt ranking scores or classification confidence values. Because no error is raised, the degraded behavior is attributed to model drift or data quality issues rather than a security event — buying the adversary time. In a SaaS context with no auth required (AV:N/PR:N), this is exploitable from the internet. The technique aligns with AML.T0031 (Erode AI Model Integrity): introduce systematic noise that erodes confidence in the AI system over time before a more targeted operation.

Weaknesses (CWE)

CWE-506 Embedded Malicious Code

CWE-506 — Embedded Malicious Code: The product contains code that appears to be malicious in nature.

  • [Implementation, Operation] Remove the malicious code and start an effort to ensure that no more malicious code exists. This may require a detailed review of all code, as it is possible to hide a serious attack in only one or two lines of code. These lines may be located almost anywhere in an application and may have been intentionally obfuscated by the attacker.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

Timeline

Published
September 25, 2025
Last Modified
October 3, 2025
First Seen
September 25, 2025

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed