ML CVE Database Vulnerabilities: What's Tracked and Missing

The intersection of machine learning infrastructure and software security has produced a category of risk that existing vulnerability management systems weren’t designed to handle. ML CVE database vulnerabilities — flaws in the frameworks, serialization formats, and toolchains powering modern AI — accumulate faster than the infrastructure tracking them can process, and the gap between disclosure and defender awareness keeps widening.

What the NVD Data Actually Shows

The National Vulnerability Database remains the canonical source for CVE tracking, but the numbers expose a system under pressure. In 2025, 46,407 CVEs were published — a 16% increase over 2024 and a 263% surge since 2020 — averaging roughly 127 new vulnerabilities per day. Only 28% of those received full NVD enrichment in 2025, down from 46.2% the year before, leaving a backlog of more than 54,000 CVEs without complete severity scoring or CPE mappings.

Within that volume, approximately 1,418 CVEs disclosed in 2025 targeted AI frameworks, inference engines, or AI-integrated tooling — around 3% of all new CVEs. That percentage is growing. The practical problem is that many of these entries lack the metadata — CVSS scores, CWE classifications, CPE identifiers — that security teams rely on for triage. A CVE entry with no enrichment offers little operational value to defenders who need to prioritize patching across a large ML stack.

The Distinct Character of ML Framework Vulnerabilities

What separates ML CVE database vulnerabilities from conventional software flaws isn’t just volume; it’s that the attack surface of ML infrastructure differs in ways the CVE taxonomy was not designed to capture.

Deserialization as a recurring vector. JFrog’s security research team documented a pattern across popular ML frameworks: PyTorch, scikit-learn, Keras (legacy HDF5), XGBoost, and H2O all use or have used pickle-based serialization for model persistence. Pickle is not a safe format — it executes arbitrary Python on load. CVE-2024-6960 ↗ demonstrated this in H2O, where unsafe Java deserialization via the Iced format let attackers achieve code execution by supplying a malicious model. CVE-2024-27132 ↗ in MLflow showed how an XSS vulnerability in recipe failure cards could escalate to full Python code execution inside JupyterLab through DOM manipulation. The JFrog researchers concluded that even “safe” model formats can be compromised if the loading library itself has unpatched bugs — meaning the format is only as secure as its implementation.

Denial of service through malformed tensors. CVE-2023-25661 ↗ in TensorFlow illustrates this category cleanly: a malformed input to the Convolution3DTranspose function triggers a check failure, crashing any model that exposes this API over a network connection. CVSS score: 6.5 (Medium). The fix requires upgrading to TensorFlow 2.11.1. The pattern recurs because rigorous input validation for arbitrary tensor shapes is architecturally difficult, and the APIs involved are common in production neural networks.

Path traversal in model archives. CVE-2023-5245 ↗ (MLeap ZipSlip) demonstrated that archiving saved models introduces traversal risk: file paths containing ../ sequences escape their intended directories during extraction, enabling arbitrary file write. PyTorch’s TorchScript carried a similar flaw where the weights_only=True flag — a documented safety control — did not prevent arbitrary file creation via torch.save(), enabling both denial of service and code execution scenarios.

Adversarial attacks sit outside the CVE model entirely. Beyond implementation bugs, ML systems face attacks — data poisoning, model inversion, membership inference, adversarial perturbations — that produce no crash dump and no CVSSv3 score. They exploit learned model behavior, not code execution paths. The current CVE taxonomy has no entry type for “model trained on poisoned data.” For depth on that threat class, adversarialml.dev ↗ tracks adversarial ML research and attack taxonomies that NVD does not cover.

Why the Database Taxonomy Is Falling Behind

In 2025, Senators Mark Warner and Thom Tillis introduced legislation requiring NIST to update the NVD to recognize that “AI systems can differ dramatically from traditional software,” and directing CISA to either modify the CVE program or create a parallel process for AI security flaws. The bill would also establish an AI Security Center at the NSA for testing infrastructure and counter-AI mitigation guidance.

The structural problem the legislation targets is real: adversarial ML attacks don’t map to CWE entries. A model inversion attack that leaks training data leaves no exploit artifact. An input that forces a biased classification output looks like normal traffic. These events fall outside current CVE scope by design — defenders relying on NVD-based feeds are systematically blind to a portion of the threat landscape.

NIST’s April 2026 NVD restructuring prioritizes resources for critical and high-impact CVEs, which helps triage but doesn’t resolve the AI-specific coverage gap. Practical tracking of ML-adjacent incidents — including disclosures that never receive CVE assignments — has fallen to aggregators. ai-alert.org ↗ maintains a running tracker of AI vulnerability disclosures and ML breach events that don’t fit the NVD model.

Building a Monitoring Program That Covers the Gap

Relying on NVD alone leaves blind spots for ML infrastructure. A layered approach covers more of the exposure:

GitHub Security Advisories for your specific frameworks. TensorFlow, PyTorch, Hugging Face Transformers, MLflow, and most major ML libraries publish advisories to GitHub’s security advisory database, often before NVD enrichment catches up. Subscribe to the repos you run.

MITRE CVE search filtered to CPE entries. MITRE now aggregates from CISA’s Known Exploited Vulnerabilities catalog, CVEDetails, and Tenable in addition to NVD. Filtering by CPE strings for your exact dependency versions surfaces relevant entries that may lack NVD CVSS scores but have been catalogued.

Vendor security pages for cloud ML services. AWS SageMaker, Google Vertex AI, and Azure ML all publish security advisories on a different cadence than NVD, sometimes covering platform-layer issues that don’t get CVE assignments.

Model format auditing before loading external checkpoints. Avoid pickle for untrusted model sources. Prefer safetensors or ONNX with signature verification. Treat any model downloaded from a public registry as potentially adversarial until verified — the JFrog research showed that compromised model files provide lateral movement paths into model registries and full MLOps pipelines.

Runtime behavioral monitoring. CVEs cover code-level flaws; they don’t detect a model behaving anomalously because its weights were poisoned, or a scoring API returning systematically shifted outputs. Pairing vulnerability tracking with production monitoring closes that gap. sentryml.com ↗ covers the observability tooling side of that problem.

The right posture treats ML CVE tracking as necessary but not sufficient: necessary because implementation bugs in frameworks are real, patched on a schedule, and exploitable by conventional means; not sufficient because the threat model for ML systems extends into territory the CVE program was never built to address.

Sources

• CVE-2023-25661 — NVD Detail (nvd.nist.gov ↗): The canonical NVD entry for the TensorFlow Convolution3DTranspose denial-of-service vulnerability, CVSS 6.5, affecting versions prior to 2.11.1.

• Machine Learning Bug Bonanza — JFrog Security Research (jfrog.com ↗): Deep technical analysis of deserialization and path traversal vulnerabilities across PyTorch, MLflow, H2O, and other frameworks, covering CVE-2024-27132, CVE-2024-6960, and CVE-2023-5245.

• Senate Legislation to Update NVD for the AI Era — The Record (therecord.media ↗): Coverage of the Warner-Tillis bill proposing NVD schema changes and a dedicated AI CVE tracking process through CISA.

• The 2025 Spike in Vulnerabilities Isn’t the Full Story — Zafran (zafran.io ↗): Analysis of CVE volume trends including the NVD enrichment backlog, the drop in fully-analyzed CVEs from 46.2% to 28%, and the growing disclosure-to-coverage gap.

For more context, AI attack techniques ↗ covers related topics in depth.