Cyber Resilience

CVE-2023-43654

CriticalPublic PoC

Published: 28 September 2023

Published
28 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9099 99.7th percentile
Risk Priority 75 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43654 is a critical-severity SSRF (CWE-918) vulnerability in Pytorch Torchserve. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Deep Learning Frameworks.

Deeper analysis

TorchServe, the model server for PyTorch, contains a server-side request forgery vulnerability (CWE-918) in versions 0.1.0 through 0.8.1. The default configuration performs insufficient validation of model URLs supplied during registration, allowing remote HTTP fetches and arbitrary file writes to the local filesystem. The flaw received a CVSS score of 10.0 and is tracked under CVE-2023-43654.

An unauthenticated remote attacker can supply a model archive from an attacker-controlled URL. Successful exploitation permits writing attacker-chosen files to disk, which can be leveraged to compromise system integrity and access or alter sensitive data. The TorchServe user is expected to configure the allowed_urls list and explicitly specify model locations, but the default permissive setting leaves instances exposed.

The project security advisory and release notes for version 0.8.2 state that a warning was added when the default allowed_urls value remains in use; users should upgrade immediately. No workarounds are documented.

Public exploit references, including PacketStorm entries describing remote code execution via model registration and deserialization, accompany the advisory. The EPSS score has remained high, currently at 0.91 with a recorded peak of 0.92, indicating sustained exploitation interest in this PyTorch-serving component.

EU & UK References

Vulnerability details

TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage…

more

of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.

CWE(s)

AI Security AnalysisAI

AI Category
Deep Learning Frameworks
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: pytorch

Related Threats

Affected Assets

pytorch
torchserve
0.1.0 — 0.8.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References