File Overwrite Vulnerability in LightningApp for PyTorch Lightning on Windows
CVE-2024-8019

9.1CRITICAL

Key Information:

Vendor

Lightning-ai

Status
Lightning-ai/pytorch-lightning
Vendor
CVE Published:
20 March 2025

What is CVE-2024-8019?

A vulnerability has been identified in the LightningApp component of PyTorch Lightning version 2.3.2, specifically affecting Windows hosts. This flaw resides at the /api/v1/upload_file/ endpoint, allowing malicious users to craft filenames that can write or overwrite files on the server. If exploited, this vulnerability could enable potential remote code execution, as it may permit attackers to replace critical system files or introduce harmful files into secure directories, elevating the risk of subsequent attacks.

Affected Version(s)

lightning-ai/pytorch-lightning < 2.3.3

References

https://huntr.com/bounties/2754298b-5af5-48ef-8b38-999093...
https://github.com/lightning-ai/pytorch-lightning/commit/...

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.