ShellTorch Patch Availability

Can you share if there is a new release planned to address the ShellTorch vulnerabilities and if so the timing? We are working to address these vulnerabilities but for the SSRF issue, v0.8.2 just does a warning. We don’t want to patch twice if at all possible.


ShellTorch page: ShellTorch: Critical Vulnerabilities in TorchServe (including CVE-2023-43654)

ShellTorchCheker: GitHub - OligoCyberSecurity/ShellTorchChecker: A tool that checks if a TorchServe instance is vulnerable to CVE-2023-43654

AWS advisory: Reported TorchServe Issue (CVE-2023-43654)


Hi torchserve developer here!

They blogged about issues only affect torchserve not PyTorch and all the major issues they’ve listed out have been patched in 0.8.2

Regarding the “just a warning part” the blog was referring to some documentation changes that were missing, we’ve since made them. Doc changes don’t require a release but we are indeed planning another release 0.9.0 before Oct 15

  1. Advise on how to secure torchserve when dealing with docker: updates to security guidelines and docker config by agunapal · Pull Request #2669 · pytorch/serve · GitHub
  2. In our docker examples we no longer use Bind torchserve container ports to localhost ports by namannandan · Pull Request #2646 · pytorch/serve · GitHub
  3. In our documentation we no longer use Update default address from to in documentation and examples by namannandan · Pull Request #2624 · pytorch/serve · GitHub
  4. We’re now recommending people use 0.8.2 for the latest security patches Update by msaroufim · Pull Request #2643 · pytorch/serve · GitHub

Also we have since proactively fixed many more security issues which you can follow by checking for the security tag on github Pull requests · pytorch/serve · GitHub

We take security very seriously on the team by including tools for code scanning and regular dependency upgrades and we list out our approach here

1 Like

Hi Mark,

Thank you for closing the loop. I’ll pass this along to the team we have working this response effort internally.

Best Regards,


Bruce Monroe

PE/Lead Engineer High Profile Response Events

Intel Product Security Incident Response Team


PSIRT Email:

Full Remote/East Coast Time Zone

1 Like