Path Traversal in NVIDIA Triton Inference Server Enables Arbitrary File Access
Overview
A high-severity path traversal vulnerability was discovered in NVIDIA Triton Inference Server. The server's API for loading and managing models from a model repository did not properly sanitize user-provided file paths. An attacker with API access to the Triton server could craft a malicious request specifying a model location using 'dot-dot-slash' (`../`) sequences. This allows the attacker to traverse outside of the intended model repository directory and access arbitrary files and directories on the underlying host filesystem. Successful exploitation could allow an unauthenticated remote attacker to read sensitive files, such as `/etc/passwd`, SSH keys, or application source code. In configurations where the Triton server runs with write permissions, the vulnerability could also be used to write arbitrary files, potentially leading to remote code execution by overwriting executables, configuration files, or user profile scripts like `.bashrc`. This vulnerability poses a significant risk in multi-tenant environments or any deployment where the Triton API is exposed, as it breaks the security boundary between the inference service and the host machine.
Affected Systems
Testing Guide
1. **Check Triton Version**: Run `docker inspect <triton_container_id>` or check your deployment configuration to determine the version of the Triton Inference Server image you are using. 2. **Send Test API Request**: Using a tool like `curl`, send a repository index API request attempting to list files outside the repository. Example: `curl -v POST <triton-host>:8000/v2/repository/index -d '{"repository_path": "/path/to/your/repo/../../../../etc/"}'`. 3. **Analyze Response**: If the server responds with a listing of files from the `/etc/` directory, you are vulnerable. A patched or secure system will return an error indicating an invalid path.
Mitigation Steps
1. **Upgrade Triton**: Immediately upgrade the NVIDIA Triton Inference Server to version 24.01 or later, which contains the patch for this vulnerability. 2. **Restrict API Access**: Limit network access to the Triton server's API endpoints to trusted IP ranges. Do not expose the management API to the public internet. 3. **Use Rootless Containers**: Run Triton in a rootless container with a read-only filesystem where possible. This significantly reduces the impact of a successful file write exploit. 4. **Filesystem Permissions**: Ensure the user account running the Triton server process has the minimum necessary file permissions for its model repositories and cannot write to sensitive system locations.
Patch Details
Patched in NVIDIA Triton Inference Server version 24.01 and all subsequent releases.