AI Threat Alert AI Threat Alert

CVE-2023-43654: TorchServe: SSRF + RCE via unrestricted model URL loading

CRITICAL ACTIVELY EXPLOITED PoC AVAILABLE NUCLEI TEMPLATE CISA: ATTEND
Published September 28, 2023
CISO Take

TorchServe ≤0.8.1 allows unauthenticated attackers to force the server to fetch arbitrary URLs and write files to disk via the management API—enabling SSRF, cloud metadata exfiltration, and RCE through malicious model deserialization. Upgrade to 0.8.2 immediately and restrict the management API (port 8081) to localhost or trusted internal networks. Audit every production ML serving deployment for external management API exposure now.

Risk Assessment

Severity is maximum: CVSS 9.8 with no authentication, no user interaction, and network-accessible attack vector. The PyTorch ecosystem is deployed in thousands of production ML inference environments. Default TorchServe configurations frequently expose the management API without restriction, making this trivially exploitable at scale. The combination of SSRF (cloud metadata theft, internal network pivoting) plus deserialization RCE elevates this from a configuration issue to a critical infrastructure threat for any organization running ML inference at scale.

Affected Systems

Package Ecosystem Vulnerable Range Patched
torchserve pip No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use torchserve? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
91.6%
chance of exploitation in 30 days
Higher than 100% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Actively Exploited
Sophistication
Trivial
Exploitation Confidence
high
CISA KEV (active exploitation confirmed)
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Nuclei detection template available
EPSS exploit prediction: 92%
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade TorchServe to ≥0.8.2 immediately.

  2. NETWORK

    Firewall management API port 8081—bind to 127.0.0.1 only or restrict via network ACL. Production API port 8080 is separate and should also be reviewed.

  3. CONFIGURE

    Explicitly set allowed_urls in config.properties to a strict allowlist of trusted model registries—never leave as default wildcard.

  4. AUDIT

    Scan infrastructure for exposed TorchServe management APIs using: nmap -p 8081 <cidr> or cloud security posture tools.

  5. DETECT

    Alert on outbound HTTP requests from ML serving hosts to unexpected destinations, particularly cloud metadata endpoints (169.254.169.254).

  6. ROTATE

    If exposure is confirmed, rotate all cloud credentials accessible from the affected host.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Inference Model AML.T0010.001 AML.T0011.000 AML.T0018.002 AML.T0025 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity Article 9 - Risk Management System
ISO 42001
A.6.2 - AI System Risk Management — Technical Controls A.9.3 - Information Security for AI Systems
NIST AI RMF
GOVERN 6.1 - Policies and procedures for AI risk MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems
OWASP LLM Top 10
LLM05:2025 - Insecure Output Handling / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-43654?

TorchServe ≤0.8.1 allows unauthenticated attackers to force the server to fetch arbitrary URLs and write files to disk via the management API—enabling SSRF, cloud metadata exfiltration, and RCE through malicious model deserialization. Upgrade to 0.8.2 immediately and restrict the management API (port 8081) to localhost or trusted internal networks. Audit every production ML serving deployment for external management API exposure now.

Is CVE-2023-43654 actively exploited?

Yes, CVE-2023-43654 is confirmed actively exploited and listed in CISA Known Exploited Vulnerabilities catalog.

How to fix CVE-2023-43654?

1. PATCH: Upgrade TorchServe to ≥0.8.2 immediately. 2. NETWORK: Firewall management API port 8081—bind to 127.0.0.1 only or restrict via network ACL. Production API port 8080 is separate and should also be reviewed. 3. CONFIGURE: Explicitly set `allowed_urls` in config.properties to a strict allowlist of trusted model registries—never leave as default wildcard. 4. AUDIT: Scan infrastructure for exposed TorchServe management APIs using: `nmap -p 8081 <cidr>` or cloud security posture tools. 5. DETECT: Alert on outbound HTTP requests from ML serving hosts to unexpected destinations, particularly cloud metadata endpoints (169.254.169.254). 6. ROTATE: If exposure is confirmed, rotate all cloud credentials accessible from the affected host.

What systems are affected by CVE-2023-43654?

This vulnerability affects the following AI/ML architecture patterns: Model serving infrastructure, ML inference pipelines, PyTorch production deployments, Multi-tenant ML platforms, Cloud-hosted AI/ML workloads.

What is the CVSS score for CVE-2023-43654?

CVE-2023-43654 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 91.65%.

Technical Details

NVD Description

TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.

Exploitation Scenario

Adversary discovers an internet-exposed TorchServe management API (port 8081) via Shodan or targeted scanning. Without any credentials, they POST to `/models?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/` to steal AWS IAM role credentials via SSRF. With credentials in hand, they pivot to S3 buckets containing proprietary training data. For full RCE, they host a maliciously crafted PyTorch model file (.mar archive containing pickle payload) on an attacker-controlled server, then force TorchServe to download and load it—executing arbitrary OS commands with the privileges of the model server process, potentially gaining persistent access to the ML serving infrastructure.

Weaknesses (CWE)

CWE-918

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
September 28, 2023
Last Modified
November 21, 2024
First Seen
September 28, 2023

Scanner Template Available

A Nuclei vulnerability scanner template exists for this CVE. You can scan your infrastructure for this vulnerability immediately.

View template on GitHub
nuclei -t http/cves/2023/CVE-2023-43654.yaml -u https://target.example.com

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-48063 9.8

PyTorch: RCE via RemoteModule deserialization

Same package: torch
Back to Threat Feed