CVE-2023-43654

CVE-2023-43654 is a critical-severity vulnerability in Pytorch Torchserve with a CVSS 3.x base score of 10.0. Its EPSS exploit-prediction score of 35% places it in the 98th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-918.

Key facts

Description

TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.

Frequently asked questions

What is CVE-2023-43654?
TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This issue could be taken advantage of to compromise the integrity of the system and sensitive data. This issue is present in versions 0.1.0 to 0.8.1. A user is able to load the model of their choice from any URL that they would like to use. The user of TorchServe is responsible for configuring both the allowed_urls and specifying the model URL to be used. A pull request to warn the user when the default value for allowed_urls is used has been merged in PR #2534. TorchServe release 0.8.2 includes this change. Users are advised to upgrade. There are no known workarounds for this issue.
How severe is CVE-2023-43654?
CVE-2023-43654 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2023-43654 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 35% (98th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2023-43654?
CVE-2023-43654 affects Pytorch Torchserve. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2023-43654?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
When was CVE-2023-43654 published?
CVE-2023-43654 was published on 2023-09-28 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Pytorch Torchserve

All CVEs affecting Pytorch Torchserve →

Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities

Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →