ShellTorch Vulnerabilities Put Organizations at Risk of Server Takeover
TorchServe, an open-source tool for scaling PyTorch machine-learning models, had three security vulnerabilities that could lead to server takeover and remote code execution. These vulnerabilities, collectively known as "ShellTorch," affected tens of thousands of exposed instances. The flaws have been patched in the latest version of TorchServe (0.8.2), released in August. The vulnerabilities allowed unrestricted access to the management interface, enabled remote server-side request forgery, and allowed for unsafe deserialization attacks. While there have been no reported exploits, the vulnerabilities could be easily exploited by attackers with basic knowledge of TorchServe. Users are advised to update to the latest version and implement additional security measures.