CVE-2024-35198 TorchServe bypass allowed_urls configuration

TorchServe is a flexible and easy-to-use tool for serving and scaling PyTorch models in production. TorchServe 's check on allowedurls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a fi...

CVE-2024-35198

TorchServe contains a path-traversal style bypass in allowed_urls checking: URLs containing ".." can appear to pass validation, allowing a file to be downloaded into the model store and later referenced without a URL, effectively bypassing the security check. Affected component: TorchServeroot ca...

TorchServe vulnerable to bypass of allowed_urls configuration

Impact TorchServe's check on allowedurls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which...

GHSA-WXCX-GG9C-FWP2 TorchServe vulnerable to bypass of allowed_urls configuration

Impact TorchServe's check on allowedurls configuration can be by-passed if the URL contains characters such as ".." but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which...