TorchServe Management API SSRF (CVE-2023-43654)
Description
TorchServe is a production-grade tool for serving and scaling PyTorch machine learning models. In its default configuration, TorchServe exposes a Management API that is vulnerable to Server-Side Request Forgery (SSRF). This vulnerability allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal or external resources, potentially leading to remote code execution through malicious model file downloads.
Remediation
Immediately configure TorchServe to restrict model download sources by setting the allowed_urls parameter in the configuration file. Follow these steps:
1. Edit your TorchServe configuration file (typically config.properties)
2. Add or modify the allowed_urls parameter to whitelist only trusted model repositories:
allowed_urls=https://trusted-model-repo.example.com/*,https://internal-storage.company.com/models/*
3. Ensure the Management API is not exposed to untrusted networks by binding it to localhost or placing it behind authentication:
management_address=http://127.0.0.1:8081
4. Implement network-level controls such as firewall rules to restrict outbound connections from the TorchServe instance
5. Upgrade to the latest patched version of TorchServe that addresses CVE-2023-43654
6. Validate and sanitize all model URLs before registration, even from trusted sources