Remote Code Execution in TensorFlow via Insecure Deserialization in SavedModel Format
Overview
A critical insecure deserialization vulnerability was discovered in TensorFlow's SavedModel format. While SavedModel is a more structured format than raw pickle, certain components, particularly those involving custom resource objects and lambda functions within the model graph, could be manipulated to trigger arbitrary code execution during model loading. The vulnerability, identified as CVE-2025-31337, stems from the `tf.saved_model.load()` function, which, under specific circumstances, would deserialize and execute Python code embedded within a maliciously crafted model's `saved_model.pb` file. An attacker could create a TensorFlow model containing a payload in a `tf.function` graph that uses `tf.py_function` to wrap arbitrary Python code. When a victim loads this model, TensorFlow's session initialization process executes the graph, triggering the payload. This allows for remote code execution on the machine loading the model, posing a severe threat to MLOps pipelines, AI-powered applications, and researchers who download pre-trained models from public repositories. The fix involved adding stricter validation and sandboxing during the model deserialization process, preventing the execution of arbitrary Python functions not explicitly whitelisted.
Affected Systems
Testing Guide
1. Check your installed TensorFlow version using `pip show tensorflow`. 2. If the version is older than the patched versions listed in `affected_systems`, your environment is vulnerable. 3. To test safely, obtain a proof-of-concept (PoC) model file from a trusted security source that demonstrates the vulnerability through a harmless action (e.g., creating a file). 4. In a sandboxed, isolated environment, attempt to load the PoC model using `tf.saved_model.load()`. If the harmless action is triggered, the vulnerability is confirmed.
Mitigation Steps
1. **Upgrade TensorFlow**: Immediately update to the patched versions (2.15.1, 2.14.2, 2.13.3 or newer). 2. **Scan Models**: Use security scanners to analyze SavedModel directories for suspicious operators like `tf.py_function` or `tf.numpy_function` before loading them. 3. **Load from Trusted Sources**: Only load models from verified publishers and sources. Avoid using models from untrusted repositories. 4. **Use TFLite for Inference**: Where possible, convert models to the more restrictive TensorFlow Lite (`.tflite`) format for deployment, as it has a much more limited and secure operator set, reducing the attack surface.
Patch Details
Patched in TensorFlow versions 2.15.1, 2.14.2, and 2.13.3. The patch introduced stricter checks on operations allowed during model loading.