CVE-2023-43654
Published: 28 September 2023
Summary
CVE-2023-43654 is a critical-severity SSRF (CWE-918) vulnerability in Pytorch Torchserve. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Deep Learning Frameworks.
Deeper analysis
TorchServe, the model server for PyTorch, contains a server-side request forgery vulnerability (CWE-918) in versions 0.1.0 through 0.8.1. The default configuration performs insufficient validation of model URLs supplied during registration, allowing remote HTTP fetches and arbitrary file writes to the local filesystem. The flaw received a CVSS score of 10.0 and is tracked under CVE-2023-43654.
An unauthenticated remote attacker can supply a model archive from an attacker-controlled URL. Successful exploitation permits writing attacker-chosen files to disk, which can be leveraged to compromise system integrity and access or alter sensitive data. The TorchServe user is expected to configure the allowed_urls list and explicitly specify model locations, but the default permissive setting leaves instances exposed.
The project security advisory and release notes for version 0.8.2 state that a warning was added when the default allowed_urls value remains in use; users should upgrade immediately. No workarounds are documented.
Public exploit references, including PacketStorm entries describing remote code execution via model registration and deserialization, accompany the advisory. The EPSS score has remained high, currently at 0.91 with a recorded peak of 0.92, indicating sustained exploitation interest in this PyTorch-serving component.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2697
Vulnerability details
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage…
more
of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Deep Learning Frameworks
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: pytorch
Related Threats
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.
Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.
Validates server-side URLs and resource references to block SSRF attempts.
Detects server-side request forgery through monitoring of unexpected outbound connections.