Path Traversal in NVIDIA Triton Inference Server allows Arbitrary File Read/Write
Overview
A high-severity path traversal vulnerability was discovered in the model repository management component of NVIDIA Triton Inference Server. The vulnerability, assigned CVE-2025-46011, affects the server's API endpoints responsible for loading, unloading, and managing models from a repository. An attacker with network access to the Triton server's management port could send a specially crafted API request with a model name containing 'dot-dot-slash' (`../`) sequences. Due to improper input sanitization of the model path, the server would resolve this path outside of the intended model repository directory. A successful exploit could allow a remote attacker to read arbitrary files from the server's filesystem, such as configuration files, source code, or SSH keys, by crafting a malicious model path. In configurations where the server has write permissions, the vulnerability could also be leveraged for arbitrary file write, potentially leading to remote code execution by uploading a web shell, a malicious model, or overwriting critical system files. This affects multi-tenant environments where different users might have permissions to manage their own models, as one malicious tenant could access data from others or compromise the entire host system.
Affected Systems
Testing Guide
1. Identify the API endpoint for loading a model in your Triton server. 2. Craft an API request to load a new model, but for the model name/path parameter, use a path traversal payload. For example: `{"model_name": "../../../../etc/passwd"}`. 3. Send the request to the server. 4. If the server response contains the contents of the `/etc/passwd` file or returns an error message indicating it attempted to access that path, the server is vulnerable. 5. **Perform this testing in a non-production environment.**
Mitigation Steps
1. **Upgrade Triton Server:** Update to NVIDIA Triton Inference Server version 25.08 or later by pulling the latest container image from the NVIDIA NGC catalog. 2. **Restrict Network Access:** Limit access to the Triton Inference Server's HTTP/gRPC service ports (typically 8000, 8001, 8002) to trusted clients and networks using firewall rules. 3. **Run as Non-Root User:** Run the Triton server container with a non-root user to limit the impact of a successful file write or read exploit. 4. **Read-Only Model Repository:** If models are not managed dynamically, mount the model repository as read-only within the container to prevent arbitrary file writes.
Patch Details
The vulnerability is addressed in the August 2025 (25.08) release of the Triton Inference Server container available on NVIDIA NGC.