CVE-2023-48299 in TorchServeinfo

Summary

by MITRE • 11/21/2023

TorchServe is a tool for serving and scaling PyTorch models in production. Starting in version 0.1.0 and prior to version 0.9.0, using the model/workflow management API, there is a chance of uploading potentially harmful archives that contain files that are extracted to any location on the filesystem that is within the process permissions. Leveraging this issue could aid third-party actors in hiding harmful code in open-source/public models, which can be downloaded from the internet, and take advantage of machines running Torchserve. The ZipSlip issue in TorchServe has been fixed by validating the paths of files contained within a zip archive before extracting them. TorchServe release 0.9.0 includes fixes to address the ZipSlip vulnerability.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 12/15/2023

The vulnerability identified as CVE-2023-48299 represents a critical ZipSlip vulnerability within TorchServe, a widely used tool for deploying and scaling PyTorch machine learning models in production environments. This security flaw affects versions 0.1.0 through 0.8.9 of the TorchServe framework, creating a significant risk for organizations that rely on this platform for model deployment. The vulnerability stems from inadequate validation of file paths during archive extraction processes, specifically within the model and workflow management APIs that handle model archives. The issue manifests when TorchServe processes compressed archives containing maliciously crafted file paths that can traverse directory structures beyond the intended extraction point, allowing arbitrary file placement on the target filesystem. This vulnerability directly aligns with CWE-22, which categorizes path traversal flaws, and represents a classic example of how archive extraction vulnerabilities can be exploited in containerized and server environments.

The technical exploitation of this vulnerability occurs when a malicious actor uploads a specially crafted archive file through TorchServe's model management API. During the extraction process, the system fails to validate whether file paths within the archive contain directory traversal sequences such as '../' or '..\\' that would allow files to be extracted outside of the designated model directory. When processed, these malicious paths can result in files being written to critical system locations such as /etc, /usr/bin, or other directories within the process permissions. This capability enables attackers to install backdoors, modify system binaries, or inject malicious code that persists across service restarts, effectively compromising the entire TorchServe deployment environment. The vulnerability is particularly dangerous because it can be exploited through legitimate model download mechanisms, allowing attackers to hide malicious code within seemingly benign open-source or public models that users routinely download and deploy.

The operational impact of CVE-2023-48299 extends beyond immediate system compromise to encompass broader organizational security risks and compliance violations. Organizations running vulnerable versions of TorchServe face potential data breaches, system infiltration, and disruption of machine learning workflows that could affect critical business operations. The vulnerability creates a persistent threat vector that can be exploited by attackers who gain access to model repositories or who can influence the model download process, making it particularly concerning for enterprises that rely on public model repositories. From an attacker's perspective, this vulnerability maps directly to ATT&CK technique T1059.001 for command and scripting interpreter and T1505.003 for server-side injection, as it enables attackers to establish persistent access and execute arbitrary code on systems running vulnerable TorchServe instances. The risk is amplified in cloud environments where TorchServe instances may be running with elevated privileges or where model artifacts are frequently downloaded from external sources without proper validation.

Organizations should immediately upgrade to TorchServe version 0.9.0 or later to remediate this vulnerability, as this release includes comprehensive fixes for the ZipSlip issue through proper path validation during archive extraction. Additional mitigations include implementing strict file validation policies for all model archives before deployment, utilizing containerized environments with restricted filesystem permissions, and employing network segmentation to limit access to TorchServe instances. Security teams should also implement monitoring solutions that detect unusual file system modifications or unauthorized model deployments, and establish secure software supply chain practices that validate the integrity of all downloaded model artifacts. The fix implemented in version 0.9.0 demonstrates proper secure coding practices by validating file paths against a whitelist of acceptable directories and rejecting any extraction attempts that would place files outside of the designated model working directory, effectively preventing the directory traversal behavior that enabled the vulnerability.

Responsible

GitHub, Inc.

Reservation

11/14/2023

Disclosure

11/21/2023

Moderation

accepted

CPE

ready

EPSS

0.00673

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!