Remote Code Execution Vulnerability in pytorch-lightning Library
CVE-2024-5452

9.8CRITICAL

Key Information:

Vendor

Lightning-ai

Status
Lightning-ai/pytorch-lightning
Vendor
CVE Published:
6 June 2024

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 62%

What is CVE-2024-5452?

A remote code execution vulnerability in the lightning-ai/pytorch-lightning library version 2.2.1 arises from improper handling of deserialized user input alongside mismanagement of dunder attributes in the deepdiff library. This vulnerability exploits the ability to bypass intended restrictions, enabling attackers to construct serialized deltas that, when processed, grant access to unauthorized modules and classes. Depending on the configuration, this can lead to arbitrary attribute write capabilities and potentially full remote code execution within self-hosted PyTorch Lightning applications, as the delta endpoint remains enabled by default.

Affected Version(s)

lightning-ai/pytorch-lightning < 2.3.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2024-5452-poc
Created by XiaomingX

References

https://huntr.com/bounties/486add92-275e-4a7b-92f9-42d84b...
https://github.com/lightning-ai/pytorch-lightning/commit/...

EPSS Score

62% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.