Supply Chain
AI/ML systems sit on a long dependency chain: package managers (PyPI, npm, Cargo), model registries (HuggingFace Hub, Ollama Library), and dataset repositories. Each is a viable attack surface. Common patterns include typosquatting of popular AI packages, malicious post-install scripts in npm/PyPI uploads, and unsafe deserialization in shared model files — PyTorch and pickle-based formats can execute arbitrary code on load, which is why HuggingFace introduced the safer safetensors format. Model-registry attacks have included planting backdoored fine-tunes of popular base models that pass benchmark eval but misbehave on attacker-chosen triggers. Dataset poisoning is the slowest variant: an attacker who can influence a public training corpus inserts content that later teaches downstream models a backdoor. Defenses: pinned versions, signature verification, safetensors over pickle, provenance attestation (SLSA), and scanning model files before load.
| Severity | CVE | Headline | Package | CVSS |
|---|---|---|---|---|
| HIGH | CVE-2022-23566 | TensorFlow: heap OOB write in Grappler, RCE risk | tensorflow | 8.8 |
| HIGH | CVE-2022-23574 | TensorFlow: heap OOB read/write enables network RCE | tensorflow | 8.8 |
| MEDIUM | CVE-2022-23579 | TensorFlow: DoS via Grappler optimizer CHECK failure | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23581 | TensorFlow: DoS via Grappler optimizer CHECK failure | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23583 | TensorFlow: SavedModel type confusion triggers DoS crash | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23588 | TensorFlow: DoS via crafted SavedModel crashes Grappler | tensorflow | 6.5 |
| MEDIUM | CVE-2022-23589 | TensorFlow Grappler: DoS via malicious SavedModel | tensorflow | 6.5 |
| HIGH | CVE-2022-23590 | TensorFlow: DoS via malicious SavedModel GraphDef | tensorflow | 7.5 |
| HIGH | CVE-2022-23591 | TensorFlow: SavedModel stack overflow via recursive GraphDef | tensorflow | 7.5 |
| MEDIUM | CVE-2022-23594 | TensorFlow MLIR: heap OOB via malicious SavedModel file | tensorflow | 5.5 |
| MEDIUM | CVE-2022-29212 | TensorFlow Lite: quantization assert crash (DoS) | tensorflow | 5.5 |
| HIGH | CVE-2022-29216 | TensorFlow CLI: eval() injection enables reverse shell | tensorflow | 7.8 |
| CRITICAL | CVE-2022-35937 | TensorFlow: GatherNd OOB read crashes inference servers | tensorflow | 9.1 |
| HIGH | CVE-2022-36011 | TensorFlow: null deref DoS in MLIR function conversion | tensorflow | 7.5 |
| HIGH | CVE-2022-41894 | TensorFlow Lite: buffer overflow in CONV_3D_TRANSPOSE op | tensorflow | 8.1 |
| CRITICAL | CVE-2023-25664 | TensorFlow: heap overflow in AvgPoolGrad, RCE risk | tensorflow | 9.8 |
| HIGH | CVE-2023-27579 | TensorFlow Lite: FPE in tflite model crashes inference runtime | tensorflow | 7.5 |
| HIGH | CVE-2023-27506 | Intel TF Opt: buffer overflow enables local priv-esc | optimization_for_tensorflow | 7.8 |
| CRITICAL | CVE-2023-5245 | MLeap: zip slip in model loading enables RCE | 9.8 | |
| MEDIUM | CVE-2023-30767 | Intel TF Opt: buffer overflow enables local privesc | optimization_for_tensorflow | 6.7 |