AI Threat Alert AI Threat Alert

CVE-2025-55556: TensorFlow: non-deterministic compilation breaks Embedding

MEDIUM PoC AVAILABLE
Published September 25, 2025
CISO Take

TensorFlow 2.18.0 silently corrupts Embedding layer outputs during JIT compilation, producing random results without raising errors. Production AI systems using embeddings — NLP, recommendations, RAG retrievers — should treat outputs as untrustworthy until patched. The no-auth network-accessible vector means any internet-exposed TF serving endpoint is in scope.

Risk Assessment

Medium risk, but with a compliance tail that punches above its CVSS weight. The silent integrity failure mode is more dangerous than a crash: corrupted embedding vectors propagate downstream — through ranking, classification, or retrieval — without triggering alerts. For regulated AI deployments under EU AI Act or ISO 42001, this constitutes a documented robustness failure requiring formal risk treatment regardless of whether active exploitation is observed.

Affected Systems

Package Ecosystem Vulnerable Range Patched
tensorflow pip No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed today 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 9% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I Low
A Low

Recommended Action

5 steps

  1. Audit all environments for TensorFlow 2.18.0 — treat any Embedding-based production model as suspect until verified.

  2. Immediate workaround: disable XLA JIT via tf.config.optimizer.set_jit(False) for Embedding-heavy models.

  3. Add embedding output validation to serving pipelines: check norm distributions, detect NaN/Inf, flag statistical outliers against baseline.

  4. Track https://github.com/tensorflow/tensorflow/issues/82317 for official patch timeline.

  5. Add determinism regression tests in CI/CD for any model using Embedding layers.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Supply Chain DoS Framework Inference AML.T0010.001 AML.T0031 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system reliability and robustness
NIST AI RMF
RV 2.1 - Evaluate AI system trustworthiness — reliability
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-55556?

TensorFlow 2.18.0 silently corrupts Embedding layer outputs during JIT compilation, producing random results without raising errors. Production AI systems using embeddings — NLP, recommendations, RAG retrievers — should treat outputs as untrustworthy until patched. The no-auth network-accessible vector means any internet-exposed TF serving endpoint is in scope.

Is CVE-2025-55556 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-55556, increasing the risk of exploitation.

How to fix CVE-2025-55556?

1. Audit all environments for TensorFlow 2.18.0 — treat any Embedding-based production model as suspect until verified. 2. Immediate workaround: disable XLA JIT via tf.config.optimizer.set_jit(False) for Embedding-heavy models. 3. Add embedding output validation to serving pipelines: check norm distributions, detect NaN/Inf, flag statistical outliers against baseline. 4. Track https://github.com/tensorflow/tensorflow/issues/82317 for official patch timeline. 5. Add determinism regression tests in CI/CD for any model using Embedding layers.

What systems are affected by CVE-2025-55556?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, NLP/transformer pipelines, recommendation systems, RAG pipelines.

What is the CVSS score for CVE-2025-55556?

CVE-2025-55556 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

TensorFlow v2.18.0 was discovered to output random results when compiling Embedding, leading to unexpected behavior in the application.

Exploitation Scenario

An adversary targeting an organization's TF-based recommendation or NLP service sends inference requests that trigger Embedding JIT compilation on TensorFlow 2.18.0. The resulting non-deterministic outputs corrupt ranking scores or classification confidence values. Because no error is raised, the degraded behavior is attributed to model drift or data quality issues rather than a security event — buying the adversary time. In a SaaS context with no auth required (AV:N/PR:N), this is exploitable from the internet. The technique aligns with AML.T0031 (Erode AI Model Integrity): introduce systematic noise that erodes confidence in the AI system over time before a more targeted operation.

Weaknesses (CWE)

CWE-506

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

Timeline

Published
September 25, 2025
Last Modified
October 3, 2025
First Seen
September 25, 2025

Related Vulnerabilities

CRITICAL CVE-2020-15196 9.9

TensorFlow: heap OOB read in sparse/ragged count ops

Same package: tensorflow
CRITICAL CVE-2020-15205 9.8

TensorFlow: heap overflow in StringNGrams, ASLR bypass

Same package: tensorflow
CRITICAL CVE-2020-15208 9.8

TFLite: OOB read/write via tensor dimension mismatch

Same package: tensorflow
CRITICAL CVE-2019-16778 9.8

TensorFlow: heap overflow in UnsortedSegmentSum op

Same package: tensorflow
CRITICAL CVE-2022-23587 9.8

TensorFlow: integer overflow in Grappler enables RCE

Same package: tensorflow
Back to Threat Feed