AI Threat Alert

CVE-2024-35199: TorchServe: default gRPC exposure allows unauth inference

HIGH PoC AVAILABLE
Published July 19, 2024
CISO Take

TorchServe exposes its gRPC inference (7070) and management (7071) ports on all network interfaces by default, granting unauthenticated remote access to any deployed PyTorch model. Any attacker with network visibility—including inside your perimeter—can query models, extract behavior, or cause denial of service with zero credentials. Upgrade to v0.11.0 immediately or block ports 7070-7071 at the firewall until you can patch.

What is the risk?

High practical risk for self-hosted TorchServe deployments. CVSS 8.2 with network vector, low complexity, and no authentication required makes this trivially exploitable by anyone who can reach the host. Shared cloud environments, multi-tenant Kubernetes clusters, and on-prem data science platforms are highest risk. Exposure is compounded because ML engineers rarely consider inference servers as attack surfaces. AWS SageMaker and EKS users are explicitly not affected per the advisory.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PyTorch pip No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

Do you use PyTorch? You're affected.

How severe is it?

CVSS 3.1
8.2 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 46% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C Low
I None
A High

What should I do?

6 steps

  1. Upgrade to TorchServe v0.11.0 which binds gRPC ports to localhost by default.

  2. Immediate workaround if upgrade is blocked: add host-based firewall rules blocking inbound access to ports 7070 and 7071 from untrusted networks.

  3. Audit all TorchServe instances for network exposure: scan internal network for open 7070/7071.

  4. Enable TorchServe authentication tokens for the REST management API as defense-in-depth.

  5. Segment model serving infrastructure in dedicated VLANs or security groups with least-privilege access.

  6. Detect exploitation by monitoring inference logs for anomalous request volumes or unknown client IPs.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

DoS Data Extraction Auth Bypass Inference Framework AML.T0006 AML.T0024.002 AML.T0029 AML.T0040 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
Clause 8.4 - AI system operation and monitoring
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain treatment of AI risks
OWASP LLM Top 10
LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2024-35199?

TorchServe exposes its gRPC inference (7070) and management (7071) ports on all network interfaces by default, granting unauthenticated remote access to any deployed PyTorch model. Any attacker with network visibility—including inside your perimeter—can query models, extract behavior, or cause denial of service with zero credentials. Upgrade to v0.11.0 immediately or block ports 7070-7071 at the firewall until you can patch.

Is CVE-2024-35199 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-35199, increasing the risk of exploitation.

How to fix CVE-2024-35199?

1. Upgrade to TorchServe v0.11.0 which binds gRPC ports to localhost by default. 2. Immediate workaround if upgrade is blocked: add host-based firewall rules blocking inbound access to ports 7070 and 7071 from untrusted networks. 3. Audit all TorchServe instances for network exposure: scan internal network for open 7070/7071. 4. Enable TorchServe authentication tokens for the REST management API as defense-in-depth. 5. Segment model serving infrastructure in dedicated VLANs or security groups with least-privilege access. 6. Detect exploitation by monitoring inference logs for anomalous request volumes or unknown client IPs.

What systems are affected by CVE-2024-35199?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference infrastructure, ML production deployment, on-premises AI platforms, multi-tenant ML clusters.

What is the CVSS score for CVE-2024-35199?

CVE-2024-35199 has a CVSS v3.1 base score of 8.2 (HIGH). The EPSS exploitation probability is 0.63%.

What is the AI security impact?

Affected AI Architectures

model servinginference infrastructureML production deploymenton-premises AI platformsmulti-tenant ML clusters

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0024.002 Extract AI Model
AML.T0029 Denial of AI Service
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: Clause 8.4
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. In affected versions the two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected. This issue in TorchServe has been fixed in PR #3083. TorchServe release 0.11.0 includes the fix to address this vulnerability. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Exploitation Scenario

An attacker performing lateral movement inside a corporate network runs a port scan and discovers host 10.1.5.12 with ports 7070/7071 open. Using the TorchServe Python client or raw gRPC tooling (no credentials required), they enumerate all registered models via the management API, identify a proprietary fraud-detection model, and submit thousands of crafted inference requests to build a functional replica via model extraction. In parallel, they flood the inference port with oversized payloads to degrade availability for legitimate ML workloads—all without ever needing a username or password.

Weaknesses (CWE)

CWE-668 Exposure of Resource to Wrong Sphere

CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

References

Timeline

Published
July 19, 2024
Last Modified
September 4, 2025
First Seen
July 19, 2024

Related Vulnerabilities

CRITICAL CVE-2024-5452 9.8

pytorch-lightning: RCE via deepdiff Delta deserialization

Same package: torch
CRITICAL CVE-2022-45907 9.8

PyTorch: RCE via unsafe eval in JIT annotations

Same package: torch
CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: torch
CRITICAL CVE-2023-43654 9.8

TorchServe: SSRF + RCE via unrestricted model URL loading

Same package: torch
CRITICAL CVE-2024-35198 9.8

TorchServe: URL bypass enables arbitrary model loading

Same package: torch
Back to Threat Feed