{"id":"CVE-2025-0649","details":"Incorrect JSON input stringification in Google's Tensorflow serving versions up to 2.18.0 allows for potentially unbounded recursion leading to server crash.","modified":"2026-04-12T19:53:20.382636Z","published":"2025-05-06T21:16:17.880Z","references":[{"type":"FIX","url":"https://github.com/tensorflow/serving/commit/6cb013167d13f2ed3930aabb86dbc2c8c53f5adf"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/tensorflow/serving","events":[{"introduced":"0"},{"last_affected":"5815bfdd1d1bbd9d0d3557576c98f13afc4d9016"},{"fixed":"6cb013167d13f2ed3930aabb86dbc2c8c53f5adf"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.18.0"}]}}],"versions":["0.4.0","0.4.1","0.5.0","2.18.0","2.18.0-rc0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-0649.json","vanir_signatures":[{"source":"https://github.com/tensorflow/serving/commit/6cb013167d13f2ed3930aabb86dbc2c8c53f5adf","target":{"file":"tensorflow_serving/util/json_tensor_test.cc"},"id":"CVE-2025-0649-6cc15a23","digest":{"line_hashes":["33313622061455834989193824769725938223","170287574090103825485810930117398371980","225279118625217240216539850637470460701","29151260469246351567679484755115701544","209082186909377360700755147059185523267"],"threshold":0.9},"signature_version":"v1","deprecated":false,"signature_type":"Line"},{"source":"https://github.com/tensorflow/serving/commit/6cb013167d13f2ed3930aabb86dbc2c8c53f5adf","target":{"function":"ParseJson","file":"tensorflow_serving/util/json_tensor.cc"},"id":"CVE-2025-0649-716c216f","digest":{"function_hash":"322296174850325687516159224633680964763","length":680},"signature_version":"v1","deprecated":false,"signature_type":"Function"},{"source":"https://github.com/tensorflow/serving/commit/6cb013167d13f2ed3930aabb86dbc2c8c53f5adf","target":{"file":"tensorflow_serving/util/json_tensor.cc"},"id":"CVE-2025-0649-a3d42f86","digest":{"line_hashes":["114503701882281221747311828247390483085","336540511580128078187935889454052123068","292514187086136293085684902410954272796","291139681700318251871305843196225071247","133307271732502029172983826786739290516","156566270977590589552580572110016899025","255468276622946149515426544847369765607","332401276573278464426861210418609722436","59432167200414694748385215840341897069","213889593477677561508600830915885674543","215694316327476823023053281866632383899","118258091143412154895036749537578722666","196384817458723608730744866987650426502","327670831350874316569512690530476533581","99477031316042726745301346784810223210","80521309152984029715595145514753791898","150075072599923958895312534238690805464","8574880841692931079913542834712400791","320358407702305346316262832511672692117","205493114959826669575223003287253841721","226031831601194684984250742906265945489","79854907568009761580495922785933538576","42148039929952949273109154596136856680","203118463111300904336504378789905987338","171198116876964816631155789215812764418","248332716326403251408726009787228155967","280249969612775181598659541436588012168","179238146529470344815316402616316834748","328430075752856183798178969434259728189","249394444635400529536027538278564715322","225090231520018383992103295947419244549","211072638066032961839855663316832511066","208090802790959205289314106401938490189","145849568952526388064477800206299137130","254856429925843951434078537397322965566","274939063172593885544382326335597353142","288064230707038422300444368013880475602","38884759855217901741052595173093962010","270303948094598469056705514357094342135","335669996888779506159885619933568325901","54893145293745711289879434026187979040","62199555561436711630887721488049314582","107989430371487190098623005233625139897","283504218108762149188865615630641498947","50187170922624305443692180332458969571","330174710343445819571358756319110172116","250988661851482764894473217190582389957","66765933511804570038085312900550423859","166597075588357245086279070076936749988","264941485326778133537810693889297591345","174642195803844236044656766558516445171","206561641805216626899431258557188430537","38911406542726804611151308116001701828","120110307775142110130306641646293420535","239629086763367114683505491098286388891"],"threshold":0.9},"signature_version":"v1","deprecated":false,"signature_type":"Line"},{"source":"https://github.com/tensorflow/serving/commit/6cb013167d13f2ed3930aabb86dbc2c8c53f5adf","target":{"function":"JsonValueToString","file":"tensorflow_serving/util/json_tensor.cc"},"id":"CVE-2025-0649-af486313","digest":{"function_hash":"309355315477105074540593591278846991138","length":294},"signature_version":"v1","deprecated":false,"signature_type":"Function"}],"vanir_signatures_modified":"2026-04-12T19:53:20Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}