CVE-2022-23580

MEDIUM

Google Tensorflow < 2.5.2 - Denial of Service

Title source: rule

Description

Tensorflow is an Open Source Machine Learning Framework. During shape inference, TensorFlow can allocate a large vector based on a value from a tensor controlled by the user. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

References (3)

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/security/advisories/GHSA-627q-g293-49q7

[Patch, Third Party Advisory] https://github.com/tensorflow/tensorflow/commit/1361fb7e29449629e1df94d44e0427ebec8c83c7

[Exploit, Third Party Advisory] https://github.com/tensorflow/tensorflow/blob/a1320ec1eac186da1d03f033109191f715b2b130/tensorflow/core/framework/shape_inference.cc#L788-L790

View Exploit ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0030

EPSS Percentile 53.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1284 CWE-400

Status published

Products (5)

google/tensorflow 2.7.0

google/tensorflow < 2.5.2

pypi/tensorflow 0 - 2.5.3PyPI

pypi/tensorflow-cpu 0 - 2.5.3PyPI

pypi/tensorflow-gpu 0 - 2.5.3PyPI

Published Feb 04, 2022

Tracked Since Feb 18, 2026