CVE-2023-43654: TorchServe is a tool for serving and scaling PyTorch models in production. TorchServe default configuration lacks proper
Summary
TorchServe (a tool for running PyTorch machine learning models as web services) has a vulnerability in its default configuration that fails to validate user inputs properly, allowing attackers to download files from any URL and save them to the server's disk. This could let attackers damage the system or steal sensitive information, affecting versions 0.1.0 through 0.8.1.
Solution / Mitigation
Upgrade to TorchServe release 0.8.2 or later, which includes a warning when the default value for allowed_urls is used. Users should also configure the allowed_urls setting and specify which model URLs are permitted.
Vulnerability Details
10(critical)
EPSS: 91.6%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2023-43654
First tracked: February 15, 2026 at 08:37 PM
Classified by LLM (prompt v3) · confidence: 95%