{"id":"PYSEC-2026-554","summary":"TorchServe vulnerable to bypass of allowed_urls configuration","details":"### Impact\nTorchServe's check on allowed_urls configuration can be by-passed if the URL contains characters such as \"..\" but it does not prevent the model from being downloaded into the model store. Once a file is downloaded, it can be referenced without providing a URL the second time, which effectively bypasses the allowed_urls security check. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.\n\n### Patches\nThis issue in TorchServe has been fixed by validating the URL without characters such as \"..\" before downloading: [#3082](https://github.com/pytorch/serve/pull/3082).\n\n TorchServe release 0.11.0 includes the fix to address this vulnerability.\n\n### References\n* [#3082](https://github.com/pytorch/serve/pull/3082)\n* [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0)\n\nThank Kroll Cyber Risk for for responsibly disclosing this issue.\n\nIf you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.","aliases":["CVE-2024-35198","GHSA-wxcx-gg9c-fwp2"],"modified":"2026-07-01T20:23:10.252867Z","published":"2026-06-29T11:50:40.831171Z","references":[{"type":"WEB","url":"https://github.com/pytorch/serve/security/advisories/GHSA-wxcx-gg9c-fwp2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35198"},{"type":"WEB","url":"https://github.com/pytorch/serve/pull/3082"},{"type":"WEB","url":"https://github.com/pytorch/serve/commit/cdba0fd449c2fd23dcf37c54c0784035541d5114"},{"type":"PACKAGE","url":"https://github.com/pytorch/serve"},{"type":"WEB","url":"https://github.com/pytorch/serve/releases/tag/v0.11.0"},{"type":"PACKAGE","url":"https://pypi.org/project/torchserve"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-wxcx-gg9c-fwp2"}],"affected":[{"package":{"name":"torchserve","ecosystem":"PyPI","purl":"pkg:pypi/torchserve"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"0.11.0"}]}],"versions":["0.0.1b20200409","0.1.1","0.10.0","0.2.0","0.2.2","0.3.0","0.3.1","0.4.0","0.4.1","0.4.2","0.5.0","0.5.1","0.5.2","0.5.3","0.6.0","0.6.1","0.7.0","0.7.1","0.8.0","0.8.1","0.8.2","0.9.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/torchserve/PYSEC-2026-554.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}]}