Split DNNs are vulnerable to Feature Inversion Attacks (FIAs), where intermediate features leaked across the split boundary can be inverted to reconstruct private input images—yet existing inversion methods suffer from low reconstruction fidelity, hindering accurate privacy risk assessment. Method: We propose FIA-Flow, a novel framework comprising a Latent Feature Space Alignment Module (LFSAM) and Deterministic Inversion Flow Matching (DIFM), which decouples semantic alignment from distribution correction and enables few-shot training. Leveraging flow matching for high-fidelity inversion and integrating vision-language models for black-box privacy evaluation, FIA-Flow achieves robust, semantically consistent image reconstruction without access to model internals or ground-truth labels. Results: Extensive experiments demonstrate that FIA-Flow significantly outperforms state-of-the-art FIA methods across diverse DNN architectures and split points. It is the first work to systematically expose and quantify the previously underestimated, severe privacy threat inherent in Split DNNs.

Split DNNs enable edge devices by offloading intensive computation to a cloud server, but this paradigm exposes privacy vulnerabilities, as the intermediate features can be exploited to reconstruct the private inputs via Feature Inversion Attack (FIA). Existing FIA methods often produce limited reconstruction quality, making it difficult to assess the true extent of privacy leakage. To reveal the privacy risk of the leaked features, we introduce FIA-Flow, a black-box FIA framework that achieves high-fidelity image reconstruction from intermediate features. To exploit the semantic information within intermediate features, we design a Latent Feature Space Alignment Module (LFSAM) to bridge the semantic gap between the intermediate feature space and the latent space. Furthermore, to rectify distributional mismatch, we develop Deterministic Inversion Flow Matching (DIFM), which projects off-manifold features onto the target manifold with one-step inference. This decoupled design simplifies learning and enables effective training with few image-feature pairs. To quantify privacy leakage from a human perspective, we also propose two metrics based on a large vision-language model. Experiments show that FIA-Flow achieves more faithful and semantically aligned feature inversion across various models (AlexNet, ResNet, Swin Transformer, DINO, and YOLO11) and layers, revealing a more severe privacy threat in Split DNNs than previously recognized.