AI and machine learning TorchServe servers vulnerable to malware attacks

A white padlock on a dark digital background.
(Image credit:

A vulnerability chain comprising three distinct flaws can be used to compromise vulnerable TorchServer servers, researchers have said, warning that if leveraged, the flaws can be used to take over the target endpoint and even run malware.

These are the findings of cybersecurity experts Oligo Security, which dubbed the three flaws “ShellTorch”.

TorchServe is a tool for serving PyTorch models in production, and is used by developers who train and build AI models, including academic researchers and large tech corporations (think Amazon or Google). Vulnerable servers include all versions between 0.3.0 and 0.8.1.

Protecting the premises

The first vulnerability is an unauthenticated management interface API flaw, allowing the attackers to make external requests, including uploading malicious models. The second flaw is tracked as CVE-2023-43654, a remote server-side request forgery that can be leveraged for remote code execution (RCE), while the third is tracked as CVE-2022-1471, a Java deserialization problem - also allowing for RCE.

Eagle-eyed readers might notice that the third flaw was actually discovered last year, and was just being used in this particular scenario. 

"Once an attacker can breach an organization's network by executing code on its PyTorch server, they can use it as an initial foothold to move laterally to infrastructure in order to launch even more impactful attacks, especially in cases where proper restrictions or standard controls are not present," Oligo said. Apparently, there are “tens of thousands” of vulnerable, internet-connected endpoints out there.

To make sure your networks remain secure, make sure to apply the latest patch and bring your TorchServer instances to version 0.8.2. You should also configure the management console properly, which means setting the management_address to in the file. Also, make sure to update the allowed_urls list of trusted domains in the file, to make sure the server only grabs good models.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.