CVE-2023-48299 — MEDIUM (CVSS 5.3) AI Security Vulnerability

Q: Is CVE-2023-48299 actively exploited?

No confirmed active exploitation of CVE-2023-48299 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2023-48299?

1. Upgrade TorchServe to v0.9.0 or later — this is the only complete fix. 2. Restrict the management API (default port 8081) to trusted internal networks; never expose publicly. 3. Implement integrity verification (checksums or signatures) for all model archives before loading. 4. Run TorchServe as a least-privilege user to limit blast radius of any file write. 5. Scan model archives for path traversal entries before extraction. 6. Audit recently loaded models on affected versions for unexpected files in non-standard filesystem paths.

Q: What systems are affected by CVE-2023-48299?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML inference infrastructure, model deployment pipelines.

Q: What is the CVSS score for CVE-2023-48299?

CVE-2023-48299 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.43%.

CISO Take

TorchServe's model management API allowed ZIP archives to extract files to arbitrary filesystem paths — a classic ZipSlip attack. Any environment running TorchServe < 0.9.0 should upgrade immediately. The real risk is supply chain: a malicious public model on Hugging Face or a similar registry could weaponize this silently during routine model deployment.

Risk Assessment

CVSS 5.3 underrepresents operational risk in AI/ML environments. The attack requires no credentials, no user interaction, and works over the network — a nearly frictionless exploit path. In environments where teams routinely download and serve public models, this becomes a supply chain weapon. A malicious model archive can overwrite cron scripts, SSH authorized_keys, or application configs, escalating a file-write primitive to full RCE depending on process permissions.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
torchserve	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →

Do you use torchserve? You're affected.

Severity & Risk

CVSS 3.1

5.3 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 63% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A None

Recommended Action

6 steps

Upgrade TorchServe to v0.9.0 or later — this is the only complete fix.
Restrict the management API (default port 8081) to trusted internal networks; never expose publicly.
Implement integrity verification (checksums or signatures) for all model archives before loading.
Run TorchServe as a least-privilege user to limit blast radius of any file write.
Scan model archives for path traversal entries before extraction.
Audit recently loaded models on affected versions for unexpected files in non-standard filesystem paths.

Classification

Supply Chain Code Execution Framework Inference AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system lifecycle — supply chain security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain and improve AI risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-48299?

TorchServe's model management API allowed ZIP archives to extract files to arbitrary filesystem paths — a classic ZipSlip attack. Any environment running TorchServe < 0.9.0 should upgrade immediately. The real risk is supply chain: a malicious public model on Hugging Face or a similar registry could weaponize this silently during routine model deployment.

Is CVE-2023-48299 actively exploited?

No confirmed active exploitation of CVE-2023-48299 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-48299?

1. Upgrade TorchServe to v0.9.0 or later — this is the only complete fix. 2. Restrict the management API (default port 8081) to trusted internal networks; never expose publicly. 3. Implement integrity verification (checksums or signatures) for all model archives before loading. 4. Run TorchServe as a least-privilege user to limit blast radius of any file write. 5. Scan model archives for path traversal entries before extraction. 6. Audit recently loaded models on affected versions for unexpected files in non-standard filesystem paths.

What systems are affected by CVE-2023-48299?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML inference infrastructure, model deployment pipelines.

What is the CVSS score for CVE-2023-48299?

CVE-2023-48299 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.43%.

Technical Details

NVD Description

TorchServe is a tool for serving and scaling PyTorch models in production. Starting in version 0.1.0 and prior to version 0.9.0, using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the filesystem that is within the process permissions. Leveraging this issue could aid third-party actors in hiding harmful code in open-source/public models, which can be downloaded from the internet, and take advantage of machines running Torchserve. The ZipSlip issue in TorchServe has been fixed by validating the paths of files contained within a zip archive before extracting them. TorchServe release 0.9.0 includes fixes to address the ZipSlip vulnerability.

Exploitation Scenario

An adversary publishes a PyTorch model on a public registry (Hugging Face, model zoo, S3 bucket) containing a crafted .mar archive. Inside the archive, file entries use '../../../' path sequences targeting sensitive locations such as /etc/cron.d/, ~/.ssh/authorized_keys, or application startup scripts. When a data scientist or MLOps engineer downloads and registers this model via TorchServe's management API (POST /models), the ZIP extraction writes the adversary's payload to arbitrary paths. If the payload targets a cron directory or init script, this achieves persistent remote code execution — triggered entirely by a routine model download with no other interaction required.