A trio of critical security issues [2] [7], collectively known as ShellTorch [2] [7], have been discovered in PyTorch’s TorchServe component. These vulnerabilities, identified as CVE-2023-43654 and CVE-2023-1471 [2], pose a significant threat to vulnerable TorchServe servers, potentially allowing cyber attackers to execute arbitrary code on affected systems [6].


The first flaw is an unauthenticated management interface API flaw that enables external requests [3], including the uploading of malicious models. The second flaw is a remote server-side request forgery (SSRF) vulnerability, which allows for remote code execution (RCE) [3]. The third flaw is a Java deserialization problem that also allows for RCE [3]. Exploiting these vulnerabilities could lead to unauthorized access [2], the insertion of malicious AI models [2] [6], and even full server takeover [2]. It is estimated that there are tens of thousands of vulnerable [3], internet-connected endpoints [3]. Major companies such as Microsoft [1], Intel [1], Google [1] [5] [7], Walmart [1], and Amazon [1], including their AI infrastructure servers [1], have been found to be affected by ShellTorch.

To mitigate these risks [1], organizations are advised to update their TorchServe instances to version 0.8.2, released in August [1]. Additionally, properly configuring the management console and updating the list of trusted domains in the config.properties file is recommended to ensure the server only accepts legitimate models [3]. Regular patching and updating of open-source packages are crucial to maintaining the security and integrity of critical systems [1]. Amazon and Meta have released an advisory recommending the update to TorchServe version 0.8.2 to address these vulnerabilities [7]. The maintainers of PyTorch have collaborated with Oligo Security for the responsible disclosure of these issues [7]. Users are advised to update their systems and restrict the configuration file to secure networks [4].


The ShellTorch vulnerabilities pose a significant risk to TorchServe servers, potentially leading to unauthorized access and the compromise of critical systems. By promptly updating to TorchServe version 0.8.2 and implementing proper configuration measures, organizations can mitigate these risks. However, the widespread impact of ShellTorch, affecting major companies and their AI infrastructure servers, highlights the importance of regular patching and updating of open-source packages. Moving forward, it is crucial for organizations to prioritize the security and integrity of their systems to prevent similar vulnerabilities from being exploited.


[1] https://www.dreaded.org/2023/10/05/ai/critical-torchserve-vulnerabilities-indicate-high-likelihood-of-ai-server-takeovers/
[2] https://cyberdefenseadvisors.com/new-critical-ai-vulnerabilities-in-torchserve-put-thousands-of-ai-models-at-risk/
[3] https://www.techradar.com/pro/security/ai-and-machine-learning-torchserve-servers-vulnerable-to-malware-attacks
[4] https://www.kiratas.com/2023/10/05/ai-tool-critical-security-vulnerabilities-in-torchserve/
[5] https://www.darkreading.com/application-security/critical-shelltorch-flaws-open-source-ai-google
[6] https://osintcorp.net/new-critical-ai-vulnerabilities-in-torchserve-put-thousands-of-ai-models-at-risk/
[7] https://www.csoonline.com/article/654332/new-critical-ai-vulnerabilities-in-torchserve-put-thousands-of-ai-models-at-risk.html