NVIDIA Triton Inference Server Model Repository Path Traversal Allows Arbitrary File Read
Overview
A path traversal vulnerability was discovered in NVIDIA's Triton Inference Server, a widely used software for deploying and serving AI models at scale. The vulnerability exists in the model loading API endpoint, which failed to properly sanitize the user-provided model name. An unauthenticated remote attacker could craft a specially formatted API request containing directory traversal sequences (e.g., `../`). By specifying a model name like `../../../../etc/passwd`, the attacker could trick the server into loading an arbitrary file from the host filesystem instead of a legitimate model file from the designated model repository. Successful exploitation allows the attacker to read sensitive files accessible to the user running the Triton server process. This could include configuration files containing secrets, source code, private keys, or other proprietary data, leading to significant information disclosure and potentially enabling further attacks on the infrastructure.
Affected Systems
Testing Guide
1. Identify the API endpoint for loading a model in your Triton deployment. 2. Use a tool like `curl` to send a POST request to the model control API endpoint to load a model. 3. In the request body, specify a model name that includes path traversal characters, for example: `curl -X POST <triton-server-ip>:8000/v2/repository/models/../../../../etc/hosts/load`. 4. If the server returns an error message that indicates it attempted to read the specified file (e.g., 'file not found' but referencing the full path) or, in a worst-case scenario, returns the file's contents, the server is vulnerable.
Mitigation Steps
1. **Upgrade Triton:** Update the NVIDIA Triton Inference Server to version 23.02 or later, where the path sanitization logic has been corrected. 2. **Principle of Least Privilege:** Run the Triton server process as a dedicated, low-privilege user with restricted filesystem access. The user should only have read/write permissions for the model repository and necessary log directories. 3. **Use Container Security:** Deploy Triton in a container with a read-only root filesystem, mounting only the required directories as writable volumes. 4. **Network Segmentation:** Place the Triton Inference Server behind a reverse proxy or API gateway that can inspect and filter malicious requests. Restrict network access to the server to only trusted clients.
Patch Details
The vulnerability was addressed in NVIDIA Triton Inference Server version 23.02 and all subsequent releases.