What is CVE-2023-43654?

CVE-2023-43654 is a critical-severity vulnerability in Pytorch Serve, classified under Server-Side Request Forgery (SSRF). CVSS score: 10.0/10. Published 2023-09-28.

How severe is CVE-2023-43654?

Critical severity. CVSS v3 base score is 10.0 out of 10.

Is CVE-2023-43654 known to be exploited?

12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

SSRF in Pytorch Serve

CVE-2023-43654

TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper input validation, enabling third parties to invoke remote HTTP download requests and write files to the disk. This iss…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.917 (99.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 10.0 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products

Pytorch Serve — versions >= 0.1.0, < 0.8.2

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

Public proof-of-concept exploits

References

https://github.com/pytorch/serve/security/advisories/GHSA-8fxr-qfr9-p34w (x_refsource_CONFIRM)
https://github.com/pytorch/serve/pull/2534 (x_refsource_MISC)
https://github.com/pytorch/serve/releases/tag/v0.8.2 (x_refsource_MISC)
packetstormsecurity.com/files/175095/PyTorch-Model-Server-Registration-Deserial…

Frequently asked questions

What is CVE-2023-43654?: CVE-2023-43654 is a critical-severity vulnerability in Pytorch Serve, classified under Server-Side Request Forgery (SSRF). CVSS score: 10.0/10. Published 2023-09-28.
How severe is CVE-2023-43654?: Critical severity. CVSS v3 base score is 10.0 out of 10.
Is CVE-2023-43654 known to be exploited?: 12 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.