Security News > 2023 > October > Trio of TorchServe flaws means PyTorch users need an urgent upgrade

Trio of TorchServe flaws means PyTorch users need an urgent upgrade
2023-10-04 01:28

A trio of now-patched security issues in TorchServe, an open-source tool for scaling PyTorch machine-learning models in production, could lead to server takeover and remote code execution, according to security researchers.

"The issues in TorchServe - an optional tool for PyTorch - were patched in August rendering the exploit chain described in this blog post moot," a Meta spokesperson told The Register.

The Meta spokesperson pointed users to an August 28 update to TorchServe version 0.8.2, which fixed a server-side request forgery flaw and an insecure version of the SnakeYAML, plus two other security advisories a month later, as well as an October 2 update to GitHub project's SECURITY.md that shows v 0.8.2 is the only supported release.

Amazon issued its own security bulletin on Monday, which also said TorchServe version 0.8.2, released on August 28, addresses the security issues.

While none of the three companies have seen any indication ShellTorch has been exploited, Oligo co-founder and CEO Nadav Czerninski told The Register that the attack chain does not require technical expertise.

Properties file to ensure your server only fetches models from trusted domains, such as torchserve.


News URL

https://go.theregister.com/feed/www.theregister.com/2023/10/04/shelltorch_vulnerabilities/