CVE-2024-35198: 
TorchServe vulnerability analysis and mitigation

TorchServe, a flexible tool for serving and scaling PyTorch models in production, was found to contain a security vulnerability (CVE-2024-35198) affecting versions 0.3.0 to 0.10.0. The vulnerability was discovered in the allowed_urls configuration check mechanism, which could be bypassed using specific URL characters. The issue was disclosed and patched in July 2024, with customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS remaining unaffected (GitHub Advisory, AWS Bulletin).

The vulnerability stems from TorchServe's allowedurls configuration check mechanism, which failed to properly validate URLs containing characters such as ".." during model registration API calls. While the system would display an error message stating "Relative path is not allowed in url", it would still proceed to download the model into the model store. Once downloaded, the model could be referenced without providing a URL in subsequent requests, effectively bypassing the allowedurls security check. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (Critical) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high severity across confidentiality, integrity, and availability impacts (GitHub Advisory).

The vulnerability allows attackers to bypass security controls designed to restrict model loading from authorized URLs. This bypass could potentially lead to unauthorized model deployment and execution, compromising the security of the model serving infrastructure. The high CVSS score of 9.8 indicates critical severity with potential for significant impact on system security (GitHub Advisory).

The vulnerability has been fixed in TorchServe version 0.11.0 by implementing proper URL validation before downloading models. The fix specifically validates URLs to prevent the use of characters such as ".." that could lead to security bypasses. Users are strongly advised to upgrade to TorchServe version 0.11.0 or later. No workarounds are available for this vulnerability, making the upgrade the only effective mitigation (GitHub Release, GitHub Advisory).