CVE-2024-35199 Overview
CVE-2024-35199 affects TorchServe, the official tool for serving and scaling PyTorch models in production. The vulnerability stems from insecure default network binding behavior. TorchServe's two gRPC ports, 7070 and 7071, are not bound to localhost by default. Instead, they bind to all network interfaces when TorchServe is launched, exposing management and inference endpoints to remote networks.
Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and Amazon EKS are not affected. The issue is categorized under [CWE-668] Exposure of Resource to Wrong Sphere. TorchServe release 0.11.0 contains the fix introduced via pull request #3083.
Critical Impact
Remote attackers with network access to a TorchServe host can reach the gRPC management and inference interfaces, enabling unauthorized model operations and high availability impact.
Affected Products
- PyTorch TorchServe versions prior to 0.11.0
- Self-managed TorchServe deployments using default gRPC configuration
- TorchServe instances exposing ports 7070 (inference gRPC) and 7071 (management gRPC)
Discovery Timeline
- 2024-07-19 - CVE-2024-35199 published to NVD
- 2025-09-04 - Last updated in NVD database
Technical Details for CVE-2024-35199
Vulnerability Analysis
TorchServe exposes two gRPC endpoints to support model inference and management operations. Port 7070 handles inference requests, while port 7071 handles management functions such as registering, scaling, and unregistering models. In vulnerable releases, the default server configuration binds these listeners to 0.0.0.0 rather than the loopback interface.
This binding behavior makes the gRPC services reachable from any network the TorchServe host can communicate with. Operators expecting localhost-only behavior may not deploy upstream network controls. The result is unauthenticated remote access to model serving infrastructure.
The vulnerability requires no privileges and no user interaction. Exploitation targets the confidentiality of served models and the availability of the inference service, consistent with the CVSS impact metrics.
Root Cause
The root cause is an insecure default configuration in the gRPC listener initialization logic. The server constructed gRPC channels without restricting the bind address to 127.0.0.1. Configuration defaults did not enforce network isolation, and the gRPC endpoints did not require authentication by default, compounding the exposure.
Attack Vector
An attacker with network reachability to the TorchServe host sends gRPC requests directly to ports 7070 or 7071. Through the management interface on port 7071, an attacker can invoke administrative operations such as registering attacker-controlled model archives, modifying worker counts, or unregistering legitimate models. Disrupting the management plane produces a high availability impact on production inference workloads.
No authentication challenge protects these endpoints in the default configuration. Refer to the GitHub Security Advisory GHSA-hhpg-v63p-wp7w for additional technical context.
Detection Methods for CVE-2024-35199
Indicators of Compromise
- Unexpected inbound TCP connections to ports 7070 or 7071 originating from non-local IP addresses
- Unregistered or newly registered model archives appearing in the TorchServe model store without operator approval
- Worker process counts changing outside of normal deployment workflows
- TorchServe logs showing gRPC requests from source addresses outside the trusted management range
Detection Strategies
- Audit TorchServe host network listeners with netstat -tlnp or ss -tlnp and confirm whether 7070 and 7071 bind to 0.0.0.0 or 127.0.0.1
- Inventory all TorchServe deployments and identify versions earlier than 0.11.0
- Inspect TorchServe access logs for management API calls to endpoints such as RegisterModel, UnregisterModel, and ScaleWorker
- Use external port scanning from outside the host subnet to verify whether gRPC ports respond remotely
Monitoring Recommendations
- Forward TorchServe and host network logs to a centralized analytics platform for alerting on remote connections to gRPC ports
- Alert on any model registration event sourced from gRPC rather than internal CI/CD pipelines
- Continuously monitor outbound traffic from TorchServe hosts for indicators of attacker-controlled model archives being fetched
How to Mitigate CVE-2024-35199
Immediate Actions Required
- Upgrade TorchServe to release 0.11.0 or later, which contains the fix from pull request #3083
- Restrict network access to ports 7070 and 7071 using host firewalls or cloud security groups until patching completes
- Audit running model inventories for unauthorized registrations and remove any unexpected entries
- Rotate credentials and tokens used by TorchServe if any unauthorized management activity is suspected
Patch Information
The fix is included in TorchServe 0.11.0. See the GitHub Release v0.11.0 notes and the pull request #3083 for implementation details. The patch ensures the gRPC listeners are bound to the loopback interface by default.
Workarounds
- No vendor-supplied workarounds exist for unpatched versions, per the GitHub Security Advisory GHSA-hhpg-v63p-wp7w
- Network-level controls such as firewall rules limiting access to 7070 and 7071 to trusted hosts can reduce exposure until upgrade
- Deploy TorchServe behind an authenticated reverse proxy or service mesh that enforces mutual TLS for gRPC traffic
# Configuration example: restrict gRPC bind addresses post-upgrade
# config.properties
grpc_inference_addr=127.0.0.1
grpc_management_addr=127.0.0.1
grpc_inference_port=7070
grpc_management_port=7071
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
