GHSA-4mqg-h5jf-j9m7: 
TorchServe vulnerability analysis and mitigation

TorchServe versions 0.3.0 to 0.8.1 contain a critical pre-authentication Remote Code Execution (RCE) vulnerability identified as GHSA-4mqg-h5jf-j9m7. The vulnerability stems from the use of SnakeYAML v1.31 library, which contains multiple issues that expose users to unsafe deserialization of Java objects. This vulnerability was discovered and disclosed by Oligo Security to PyTorch maintainers Amazon and Meta (GitHub Advisory).

The vulnerability exists due to insecure use of the SnakeYAML library when parsing YAML configuration files in TorchServe. The issue occurs when TorchServe insecurely loads user input data using the default Constructor instead of SafeConstructor, which is the recommended procedure when parsing YAML files from untrusted sources. The vulnerability has a CVSS score of 10.0 (Critical) with attack vector being Network, attack complexity Low, and requiring Low privileges with No user interaction (Oligo Security).

This vulnerability could allow third parties to execute arbitrary code on the target system. The impact affects thousands of exposed TorchServe instances used by major organizations, including Fortune 500 companies and national governments. The vulnerability impacts several major platforms and services including AWS Neuron, Kubeflow, Kserve, MLflow, AnimatedDrawings, vertex-ai-samples, and mmdetection (Oligo Security).

The vulnerability has been patched in TorchServe version 0.8.2. Users are advised to upgrade to this version immediately. For users of AWS Deep Learning Containers (DLC), new image tags are available with the patched TorchServe version, including specific tags for x86 GPU, x86 CPU, Graviton, and Neuron architectures (GitHub Advisory).