Main Vulnerability Database Vulnerabilities #VU129146

Code Injection in TensorFlow - CVE-2022-29216

Published: May 17, 2022 / Updated: May 3, 2026

Vulnerability identifier: #VU129146

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-29216

CWE-ID: CWE-94

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
TensorFlow

Software vendor:
TensorFlow

Description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to code injection in saved_model_cli when parsing user-supplied input expressions. A local user can supply a specially crafted --input_exprs argument to execute arbitrary code.

The vulnerable code path is reachable through compatibility handling for numpy expressions, and exploitation requires manual use of the tool.

Remediation

Install security update from vendor's website.

External links

https://github.com/tensorflow/tensorflow/security/advisories/GHSA-75c9-jrh4-79mc
https://github.com/tensorflow/tensorflow/commit/c5da7af048611aa29e9382371f0aed5018516cac

Code Injection in TensorFlow - CVE-2022-29216

Description

Remediation

External links

Please verify you're human