CVE-2024-8019 CRITICAL

CVE-2024-8019: Arbitrary File Write/Overwrite in lightning-ai/pytorch-lightning

Vendor Lightning-Ai
Product lightning-ai/pytorch-lightning
Weakness CWE-434 · Unrestricted file upload
Published March 20, 2025
Last update March 20, 2025

CVSS base score

9.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

What the vulnerability does

01Description

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

Key dates

02Disclosure timeline

March 20, 2025 CVE published
March 20, 2025 Record updated