VDB
KO
HIGH 8.2

PYSEC-2026-1971

TorchServe gRPC Port Exposure

Details

### Impact The two gRPC ports 7070 and 7071, are not bound to [localhost](http://localhost/) by default, so when TorchServe is launched, these two interfaces are bound to all interfaces. Customers using PyTorch inference Deep Learning Containers (DLC) through Amazon SageMaker and EKS are not affected.

### Patches This issue in TorchServe has been fixed in [#3083](https://github.com/pytorch/serve/pull/3083).

TorchServe release 0.11.0 includes the fix to address this vulnerability.

### References * [#3083](https://github.com/pytorch/serve/pull/3083) * [TorchServe release v0.11.0](https://github.com/pytorch/serve/releases/tag/v0.11.0)

Thank Kroll Cyber Risk for for responsibly disclosing this issue.

If you have any questions or comments about this advisory, we ask that you contact AWS Security via our [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / torchserve
Introduced in: 0.3.0 Fixed in: 0.11.0
Fix pip install --upgrade 'torchserve>=0.11.0'

References