CVE-2023-48299: TorchServe: ZipSlip arbitrary file write via model upload

Q: Is CVE-2023-48299 actively exploited?

No confirmed active exploitation of CVE-2023-48299 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2023-48299?

1. Upgrade TorchServe to v0.9.0 or later — this is the only complete fix. 2. Restrict the management API (default port 8081) to trusted internal networks; never expose publicly. 3. Implement integrity verification (checksums or signatures) for all model archives before loading. 4. Run TorchServe as a least-privilege user to limit blast radius of any file write. 5. Scan model archives for path traversal entries before extraction. 6. Audit recently loaded models on affected versions for unexpected files in non-standard filesystem paths.

Q: What systems are affected by CVE-2023-48299?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML inference infrastructure, model deployment pipelines.

Q: What is the CVSS score for CVE-2023-48299?

CVE-2023-48299 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.67%.

MEDIUM

Published November 21, 2023

CISO Take

TorchServe's model management API allowed ZIP archives to extract files to arbitrary filesystem paths — a classic ZipSlip attack. Any environment running TorchServe < 0.9.0 should upgrade immediately. The real risk is supply chain: a malicious public model on Hugging Face or a similar registry could weaponize this silently during routine model deployment.

What is the risk?

CVSS 5.3 underrepresents operational risk in AI/ML environments. The attack requires no credentials, no user interaction, and works over the network — a nearly frictionless exploit path. In environments where teams routinely download and serve public models, this becomes a supply chain weapon. A malicious model archive can overwrite cron scripts, SSH authorized_keys, or application configs, escalating a file-write primitive to full RCE depending on process permissions.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 2d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1

5.3 / 10

EPSS

0.7%

chance of exploitation in 30 days

Higher than 47% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A None

What should I do?

6 steps

Upgrade TorchServe to v0.9.0 or later — this is the only complete fix.
Restrict the management API (default port 8081) to trusted internal networks; never expose publicly.
Implement integrity verification (checksums or signatures) for all model archives before loading.
Run TorchServe as a least-privilege user to limit blast radius of any file write.
Scan model archives for path traversal entries before extraction.
Audit recently loaded models on affected versions for unexpected files in non-standard filesystem paths.

How is it classified?

Supply Chain Code Execution Framework Inference AML.T0010.003 - Model AML.T0011.000 - Unsafe AI Artifacts AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.15 - Accuracy, robustness and cybersecurity

ISO 42001

8.4 - AI system lifecycle — supply chain security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain and improve AI risk management

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-48299?

Is CVE-2023-48299 actively exploited?

No confirmed active exploitation of CVE-2023-48299 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-48299?

1. Upgrade TorchServe to v0.9.0 or later — this is the only complete fix. 2. Restrict the management API (default port 8081) to trusted internal networks; never expose publicly. 3. Implement integrity verification (checksums or signatures) for all model archives before loading. 4. Run TorchServe as a least-privilege user to limit blast radius of any file write. 5. Scan model archives for path traversal entries before extraction. 6. Audit recently loaded models on affected versions for unexpected files in non-standard filesystem paths.

What systems are affected by CVE-2023-48299?

This vulnerability affects the following AI/ML architecture patterns: model serving, ML inference infrastructure, model deployment pipelines.

What is the CVSS score for CVE-2023-48299?

CVE-2023-48299 has a CVSS v3.1 base score of 5.3 (MEDIUM). The EPSS exploitation probability is 0.67%.

What is the AI security impact?

Affected AI Architectures

model servingML inference infrastructuremodel deployment pipelines

MITRE ATLAS Techniques

AML.T0010.003 Model

AML.T0011.000 Unsafe AI Artifacts

AML.T0018.002 Embed Malware

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art.15

ISO 42001: 8.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

TorchServe is a tool for serving and scaling PyTorch models in production. Starting in version 0.1.0 and prior to version 0.9.0, using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the filesystem that is within the process permissions. Leveraging this issue could aid third-party actors in hiding harmful code in open-source/public models, which can be downloaded from the internet, and take advantage of machines running Torchserve. The ZipSlip issue in TorchServe has been fixed by validating the paths of files contained within a zip archive before extracting them. TorchServe release 0.9.0 includes fixes to address the ZipSlip vulnerability.

Exploitation Scenario

An adversary publishes a PyTorch model on a public registry (Hugging Face, model zoo, S3 bucket) containing a crafted .mar archive. Inside the archive, file entries use '../../../' path sequences targeting sensitive locations such as /etc/cron.d/, ~/.ssh/authorized_keys, or application startup scripts. When a data scientist or MLOps engineer downloads and registers this model via TorchServe's management API (POST /models), the ZIP extraction writes the adversary's payload to arbitrary paths. If the payload targets a cron directory or init script, this achieves persistent remote code execution — triggered entirely by a routine model download with no other interaction required.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

[Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
[Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.