Multiple critical vulnerabilities in the open-source TorchServe AI model-serving tool, potentially exposes tens of thousands of internet-exposed servers to remote code execution.
Security researchers have disclosed multiple critical vulnerabilities in the TorchServe tool that could be chained together to achieve remote code execution on affected systems. TorchServe is a popular tool for serving and scaling machine learning framework models and is maintained by Meta and Amazon. It is primarily used for AI model training and development and used by academic researchers to big firms like Amazon, OpenAI, Tesla, Azure, Google and Intel. The three critical vulnerabilities that make up ShellTorch affects TorchServe versions 0.3.0 through to 0.8.1. The vulnerabilities were addressed in TorchServe version 0.8.2 which was released on 28th August 2023. Users are strongly encouraged to use the latest version to ensure that they have the most recent security fixes.
https://www.oligo.security/blog/shelltorch-torchserve-ssrf-vulnerability-cve-2023-43654
https://thehackernews.com/2023/10/warning-pytorch-models-vulnerable-to.html
https://therecord.media/pytorch-torchserve-vulnerabilities-amazon-meta-ai
https://www.theregister.com/2023/10/04/shelltorch_vulnerabilities/
https://www.bleepingcomputer.com/news/security/shelltorch-flaws-expose-ai-servers-to-code-execution-attacks/
This segment was created for the It’s 5:05 podcast