1. Home
  2. CWE Database
  3. CWE-1434
Base · Medium

CWE-1434: Insecure Setting of Generative AI/ML Model Inference Parameters

The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.

CWE-1434 · Base Level ·3 Mitigations

Description

The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.

Generative AI/ML models, such as those used for text generation, image synthesis, and other creative tasks, rely on inference parameters that control model behavior, such as temperature, Top P, and Top K. These parameters affect the model's internal decision-making processes, learning rate, and probability distributions. Incorrect settings can lead to unusual behavior such as text "hallucinations," unrealistic images, or failure to converge during training. The impact of such misconfigurations can compromise the integrity of the application. If the results are used in security-critical operations or decisions, then this could violate the intended security policy, i.e., introduce a vulnerability.

Potential Impact

Integrity, Other

Varies by Context, Unexpected State

Other

Alter Execution Logic, Unexpected State, Varies by Context

Demonstrative Examples

Assume the product offers an LLM-based AI coding assistant to help users to write code as part of an Integrated Development Environment (IDE). Assume the model has been trained on real-world code, and the model behaves normally under its default settings. Suppose there is a default temperature of 1, with a range of temperature values from 0 (most deterministic) to 2. Consider the following configuration.
Bad
{
			  
				"model": "my-coding-model",
				"context_window": 8192,
				"max_output_tokens": 4096,
				"temperature", 1.5,
				...
			  
			  }
Good
{
			  
				...
				"temperature", 0.2,
				...
			  
			  }

Mitigations & Prevention

ImplementationSystem ConfigurationOperation

Develop and adhere to robust parameter tuning processes that include extensive testing and validation.

ImplementationSystem ConfigurationOperation

Implement feedback mechanisms to continuously assess and adjust model performance.

Documentation

Provide comprehensive documentation and guidelines for parameter settings to ensure consistent and accurate model behavior.

Detection Methods

  • Automated Dynamic Analysis Moderate — Manipulate inference parameters and perform comparative evaluation to assess the impact of selected values. Build a suite of systems using targeted tools that detect problems such as prompt injection (CWE-1427) and other problems. Consider statistical
  • Manual Dynamic Analysis Moderate — Manipulate inference parameters and perform comparative evaluation to assess the impact of selected values. Build a suite of systems using targeted tools that detect problems such as prompt injection (CWE-1427) and other problems. Consider statistical

CWE-440: Expected Behavior Violation

A feature, API, or function does not perform according to its specification.

CWE-665: Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected s...

CWE-684: Incorrect Provision of Specified Functionality

The code does not function according to its published specifications, potentially leading to incorrect usage.

CWE-691: Insufficient Control Flow Management

The code does not sufficiently manage its control flow during execution, creating conditions in which the control flow c...

Frequently Asked Questions

What is CWE-1434?

CWE-1434 (Insecure Setting of Generative AI/ML Model Inference Parameters) is a software weakness identified by MITRE's Common Weakness Enumeration. It is classified as a Base-level weakness. The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.

How can CWE-1434 be exploited?

Attackers can exploit CWE-1434 (Insecure Setting of Generative AI/ML Model Inference Parameters) to varies by context, unexpected state. This weakness is typically introduced during the Build and Compilation, Installation, Patching and Maintenance phase of software development.

How do I prevent CWE-1434?

Key mitigations include: Develop and adhere to robust parameter tuning processes that include extensive testing and validation.

What is the severity of CWE-1434?

CWE-1434 is classified as a Base-level weakness (Medium abstraction). Its actual severity depends on the specific context and how the weakness manifests in your application.