We use cookies to improve your experience on our site.
AVID-2026-R1485
Description
TorchServe bypass allowed_urls configuration (CVE-2024-35198)
Details
TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe ’s check on allowed_urls configuration can be by-passed if the URL contains characters such as “..” but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed by validating the URL without characters such as “..” before downloading see PR #3082. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Reason for inclusion in AVID: CVE-2024-35198 concerns TorchServe, a model-serving component used in AI deployments. It describes a bypass of allowed_urls when downloading model artifacts, enabling potential security breaches in AI inference pipelines. This directly impacts AI systems' deployment/serving stack and their supply chain (model-serving libraries and artifacts). The CVE is high-severity (CVSS 9.8) and includes a fix in TorchServe 0.11.0, with clear remediation. It is a software vulnerability (not hardware/firmware-only) and pertains to software commonly used in ML pipelines.
References
- NVD entry
- https://github.com/pytorch/serve/security/advisories/GHSA-wxcx-gg9c-fwp2
- https://github.com/pytorch/serve/pull/3082
- https://github.com/pytorch/serve/releases/tag/v0.11.0
Affected or Relevant Artifacts
- Developer: pytorch
- Deployer: pytorch
- Artifact Details:
| Type | Name |
|---|---|
| System | serve |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.1 |
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 9.8 |
| Base Severity | 🔴 Critical |
| Attack Vector | NETWORK |
| Attack Complexity | 🟢 Low |
| Privileges Required | NONE |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-706 | CWE-706: Use of Incorrectly-Resolved Name or Reference |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-07-18
- Version: 0.3.3
- AVID Entry