Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

[CVSS 9+] Critical Vulnerabilities Expose AI Models to Attacks

Executive Summary

Tens of thousands of internet-exposed servers, including those belonging to large organizations, are affected by a series of critical vulnerabilities known as ‘ShellTorch’ in the TorchServe AI model-serving tool.

These vulnerabilities allow access to proprietary AI models, insertion of malicious models, and leakage of sensitive data, potentially leading to code execution attacks and server takeovers.

To mitigate these risks, it is recommended to upgrade to TorchServe 0.8.2, configure the management console properly, and ensure models are fetched only from trusted domains.

About TorchServe

TorchServe is a powerful tool for serving PyTorch models in production. It provides developers with a flexible and efficient way to deploy their models at scale.

PyTorch is a machine learning framework based on the Torch library, used for applications such as computer vision and natural language processing.

TorchServe is built and maintained by AWS in collaboration with Facebook and is available as part of the PyTorch open-source project.

About ShellTorch Vulnerabilities

ShellTorch is a set of critical vulnerabilities that impact TorchServe versions 0.3.0 through 0.8.1. These vulnerabilities pose significant risks to servers using the TorchServe AI model-serving tool.

  1. Unauthenticated Management Interface API Misconfiguration
    • CVE-ID: CVE-2023-43654
    • Impact: Unrestricted access and upload of malicious models
    • CVSS: 9.8
    • This vulnerability arises from an API misconfiguration in the management interface, allowing any user unrestricted access. Attackers can exploit this flaw to upload malicious models.
  2. Remote Server-Side Request Forgery (SSRF)
    • CVE-ID: Not specified
    • Impact: Remote code execution
    • CVSS: Not specified
    • TorchServe’s API has a flaw that accepts requests from any domain, leading to an SSRF vulnerability. Attackers can upload malicious models triggering arbitrary code execution on the target server.
  3. Java Deserialization Vulnerability
    • CVE-ID: CVE-2022-1471
    • Impact: Remote code execution
    • CVSS: 9.8
    • This vulnerability is due to insecure deserialization in the SnakeYAML library. Attackers can upload a model with a malicious YAML file, leading to remote code execution.

These vulnerabilities expose servers running vulnerable versions of TorchServe to potential code execution attacks and server takeovers.


It is crucial to address these vulnerabilities promptly by upgrading to TorchServe 0.8.2, which includes a warning about the SSRF issue.

Additionally, proper configuration of the management console and allowing models only from trusted domains can enhance security.

Amazon has published a security bulletin with mitigation guidance for customers using Deep Learning Containers (DLC) in EC2, EKS, or ECS.

Oligo has also released a free checker tool to check for vulnerability to ShellTorch attacks.



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.