CVE-2021-35958 – This vulnerability in TensorFlow allows attacke... (How to Fix)

Q: What is the severity of CVE-2021-35958?

CVE-2021-35958 has a CVSS score of 9.1 (CRITICAL). This vulnerability in TensorFlow allows attackers to overwrite arbitrary files on the system when tf.keras.utils.get_file is used with extract=True on a malicious archive. It affects TensorFlow users who process untrusted archives through this function. The vendor notes this function was not designed for untrusted input.

📋 TL;DR

This vulnerability in TensorFlow allows attackers to overwrite arbitrary files on the system when tf.keras.utils.get_file is used with extract=True on a malicious archive. It affects TensorFlow users who process untrusted archives through this function. The vendor notes this function was not designed for untrusted input.

💻 Affected Systems

Products:

TensorFlow

Versions: TensorFlow through 2.5.0

Operating Systems: All platforms running affected TensorFlow versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when tf.keras.utils.get_file is called with extract=True parameter on untrusted archives.

📦 What is this software?

Tensorflow by Google

View all CVEs affecting Tensorflow →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via arbitrary file overwrite leading to remote code execution, data destruction, or privilege escalation.

🟠

Likely Case

Local file overwrite leading to data corruption, denial of service, or limited code execution depending on file permissions.

🟢

If Mitigated

No impact if only trusted archives are processed or if proper input validation/sandboxing is implemented.

🌐 Internet-Facing: MEDIUM - Requires user to process attacker-controlled archives, but common in ML workflows that download datasets.

🏢 Internal Only: MEDIUM - Internal users could exploit if they can supply malicious archives to processing systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to supply a malicious archive file that gets processed by the vulnerable function. Public proof-of-concept demonstrates the path traversal technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: TensorFlow 2.6.0 and later

Vendor Advisory: https://github.com/tensorflow/tensorflow/security/advisories/GHSA-9c8h-2mv3-49ww

Restart Required: No

Instructions:

1. Upgrade TensorFlow to version 2.6.0 or later. 2. Update dependencies: pip install --upgrade tensorflow. 3. Verify the update with: pip show tensorflow.

🔧 Temporary Workarounds

Disable archive extraction

all

Avoid using extract=True parameter with tf.keras.utils.get_file when processing untrusted archives.

# Instead of: tf.keras.utils.get_file(..., extract=True)
# Use: tf.keras.utils.get_file(..., extract=False) and manually validate/process archives

Implement input validation

all

Validate archive contents before extraction using safe extraction libraries.

import tarfile
with tarfile.open(archive_path) as tar:
    for member in tar.getmembers():
        if member.name.startswith('/') or '..' in member.name:
            raise ValueError('Unsafe archive')

🧯 If You Can't Patch

Implement strict input validation for all archive files before processing
Run TensorFlow in a sandboxed/containerized environment with restricted file system access

🔍 How to Verify

Check if Vulnerable:

Check TensorFlow version: python -c "import tensorflow as tf; print(tf.__version__)" - if version <= 2.5.0 and code uses tf.keras.utils.get_file with extract=True, it's vulnerable.

Check Version:

python -c "import tensorflow as tf; print(tf.__version__)"

Verify Fix Applied:

After upgrade, verify version is 2.6.0+: python -c "import tensorflow as tf; print(tf.__version__)" and test with known malicious archives.

📡 Detection & Monitoring

Log Indicators:

Unexpected file write operations outside expected extraction directories
Errors from tf.keras.utils.get_file with suspicious archive paths

Network Indicators:

Downloads of archives from untrusted sources followed by extraction operations

SIEM Query:

source="tensorflow" AND ("get_file" OR "extract=True") AND (archive OR tar OR zip) AND (file_write OR permission_denied)

📊 Metadata

CVE ID: CVE-2021-35958

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-22

Published: June 30, 2021

Last Updated: November 21, 2024

🔗 References

https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall Third Party Advisory
https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/README.md Third Party Advisory
https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/utils/data_utils.py#L137 Third Party Advisory
https://keras.io/api/ Third Party Advisory
https://vuln.ryotak.me/advisories/52 Third Party Advisory
https://docs.python.org/3/library/tarfile.html#tarfile.TarFile.extractall Third Party Advisory
https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/README.md Third Party Advisory
https://github.com/tensorflow/tensorflow/blob/b8cad4c631096a34461ff8a07840d5f4d123ce32/tensorflow/python/keras/utils/data_utils.py#L137 Third Party Advisory
https://keras.io/api/ Third Party Advisory
https://vuln.ryotak.me/advisories/52 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35958, you might also want to check these: