NVIDIA Triton Inference Server Path Traversal Allows Unauthorized Model Access
Overview
A high-severity path traversal vulnerability was identified in the NVIDIA Triton Inference Server, affecting its model repository loading mechanism. The vulnerability, designated CVE-2025-0155, allows a remote, unauthenticated attacker to read arbitrary files from the server's filesystem by crafting a malicious model repository path. Triton's API allows users to load models from specified locations; however, versions prior to 2.45.0 failed to properly sanitize path inputs containing `../` sequences. An attacker could exploit this by sending a request to load a model from a path like `file:///models/../../../../etc/passwd`. The server would incorrectly process this path, traversing outside the intended model repository directory and exposing sensitive system files. The impact includes the exfiltration of sensitive data such as configuration files, environment variables containing cloud credentials, SSH keys, and potentially even proprietary model weights if their location is known or guessable. This could lead to further system compromise, intellectual property theft, and a complete breakdown of security boundaries in a multi-tenant MLOps environment. The issue was discovered during a security audit by a major cloud provider and was responsibly disclosed to NVIDIA.
Affected Systems
Testing Guide
1. **Identify Triton Endpoint:** Locate the API endpoint of your running Triton Inference Server. 2. **Send Malicious Request:** Use a tool like `curl` to send a request to the model repository API endpoint to load a non-existent model from a crafted path. Example: `curl -X POST http://<triton-host>:8000/v2/repository/models/pwn/load -d '{"path":"file:///repository/../../../../etc/shadow"}'`. 3. **Analyze Response:** A vulnerable server will likely return an error message that confirms it attempted to access the path, such as 'File not found' or 'Permission denied' for `/etc/shadow`, indicating the traversal was successful but blocked by filesystem permissions. A patched server will return an 'Invalid path' error.
Mitigation Steps
1. **Upgrade Triton Server:** Update all instances of NVIDIA Triton Inference Server to version `2.45.0` or later. 2. **Restrict Filesystem Permissions:** Run the Triton server process under a dedicated, low-privilege user account with strict read/write permissions limited only to the necessary directories (e.g., the model repository). 3. **Use a Web Application Firewall (WAF):** Deploy a WAF to filter incoming API requests for common path traversal patterns like `../`. 4. **Disable Dynamic Model Loading:** If your use case allows, disable the dynamic loading of new model repositories at runtime and rely on a statically configured set of models.
Patch Details
Patched in Triton Inference Server version 2.45.0. The fix involves normalizing repository paths and ensuring they resolve to a location within the designated model repository root.