Trio of TorchServe flaws means PyTorch users need an urgent upgrade

From theregister.com

A trio of now-patched security issues in TorchServe, an open-source tool for scaling PyTorch machine-learning models in production, could lead to server takeover and remote code execution (RCE), according to security researchers.

The three CVEs, collectively dubbed “ShellTorch,” rendered “tens of thousands of exposed instances” vulnerable, wrote software bill of material management firm Oligo Security’s Idan Levcovich, Guy Kaplan, and Gal Elbaz in a report published on Tuesday.

Meta, which along with Amazon manages the open source TorchServe project, downplayed the flaws and said they’ve been addressed.

Read more…