CVE-2024-6577: TorchServe script references S3 bucket without ensuring ownership or confirming accessibility

March 20, 2025 (updated March 21, 2025)

In the latest version of pytorch/serve, the script ‘upload_results_to_s3.sh’ references the S3 bucket ‘benchmarkai-metrics-prod’ without ensuring its ownership or confirming its accessibility. This could lead to potential security vulnerabilities or unauthorized access to the bucket if it is not properly secured or claimed by the appropriate entity. The issue may result in data breaches, exposure of proprietary information, or unauthorized modifications to stored data.

References

github.com/advisories/GHSA-xx7c-j7h3-vjcq
github.com/pytorch/serve
huntr.com/bounties/20917570-8328-428f-bd1d-4fcd71fb2359
nvd.nist.gov/vuln/detail/CVE-2024-6577

Code Behaviors & Features

Detect and mitigate CVE-2024-6577 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →