AI Threat Alert

CVE-2024-8019

GHSA-4cv3-v7pv-rfhf CRITICAL
Published March 20, 2025

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing...

Full analysis pending. Showing NVD description excerpt.

Affected Systems

Package Ecosystem Vulnerable Range Patched
pytorch-lightning pip < 2.4.0 2.4.0

Do you use pytorch-lightning? You're affected.

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
1.1%
chance of exploitation in 30 days
KEV Status
Not in KEV
Sophistication
N/A

Recommended Action

Patch available

Update pytorch-lightning to version 2.4.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
March 20, 2025
Last Modified
March 21, 2025
First Seen
March 24, 2026
Back to Threat Feed