Loading HuntDB...

GHSA-j3mj-fhpq-qqjj

GitHub Security Advisory

Reachable Assertion in Tensorflow

✓ GitHub Reviewed HIGH Has CVE

Advisory Details

### Impact
When decoding a tensor from protobuf, a TensorFlow process can encounter cases where a `CHECK` assertion is invalidated based on user controlled arguments, if the tensors have an invalid `dtype` and 0 elements or an invalid shape. This allows attackers to cause denial of services in TensorFlow processes.

### Patches
We have patched the issue in GitHub commit [5b491cd5e41ad63735161cec9c2a568172c8b6a3](https://github.com/tensorflow/tensorflow/commit/5b491cd5e41ad63735161cec9c2a568172c8b6a3).

The fix will be included in TensorFlow 2.8.0. We will also cherrypick this commit on TensorFlow 2.7.1, TensorFlow 2.6.3, and TensorFlow 2.5.3, as these are also affected and still in supported range.

### For more information
Please consult [our security guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for more information regarding the security model and how to contact us with issues and questions.

Affected Packages

PyPI tensorflow
Affected versions: 0 (fixed in 2.5.3)
PyPI tensorflow
Affected versions: 2.6.0 (fixed in 2.6.3)
PyPI tensorflow
Affected versions: 2.7.0 (fixed in 2.7.1)
PyPI tensorflow-cpu
Affected versions: 0 (fixed in 2.5.3)
PyPI tensorflow-cpu
Affected versions: 2.6.0 (fixed in 2.6.3)
PyPI tensorflow-cpu
Affected versions: 2.7.0 (fixed in 2.7.1)
PyPI tensorflow-gpu
Affected versions: 0 (fixed in 2.5.3)
PyPI tensorflow-gpu
Affected versions: 2.6.0 (fixed in 2.6.3)
PyPI tensorflow-gpu
Affected versions: 2.7.0 (fixed in 2.7.1)

Related CVEs

Key Information

GHSA ID
GHSA-j3mj-fhpq-qqjj
Published
February 9, 2022 11:28 PM
Last Modified
November 13, 2024 10:46 PM
CVSS Score
7.5 /10
Primary Ecosystem
PyPI
Primary Package
tensorflow
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.