PyPI: tensorflow-cpu
CVE-2022-23591
Safety vulnerability ID: SFTY-20220204-76383
Safety legacy ID: pyup.io-55597
Tensorflow is an Open Source Machine Learning Framework. The 'GraphDef' format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a 'GraphDef' containing a fragment such as the following can be consumed when loading a 'SavedModel'. This would result in a stack overflow during execution as resolving each 'NodeDef' means resolving the function itself and its nodes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Overview
Stack overflow in TensorFlow
Advisory
Tensorflow is an Open Source Machine Learning Framework. The 'GraphDef' format in TensorFlow does not allow self recursive functions. The runtime assumes that this invariant is satisfied. However, a 'GraphDef' containing a fragment such as the following can be consumed when loading a 'SavedModel'. This would result in a stack overflow during execution as resolving each 'NodeDef' means resolving the function itself and its nodes. The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.
Affected Package
Also affects
---
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20220204-76383/CVE-2022-23591
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23591
- https://github.com/tensorflow/tensorflow/commit/448a16182065bd08a202d9057dd8ca541e67996c
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-247x-2f9f-5wp7
- https://github.com/tensorflow/tensorflow/security/advisories/GHSA-247x-2f9f-5wp7
- https://github.com/tensorflow/tensorflow/commit/448a16182065bd08a202d9057dd8ca541e67996c
- https://nvd.nist.gov/vuln/detail/CVE-2022-23591
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-cpu/PYSEC-2022-100.yaml
- https://github.com/pypa/advisory-database/tree/main/vulns/tensorflow-gpu/PYSEC-2022-155.yaml
- https://github.com/advisories/GHSA-247x-2f9f-5wp7
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more