8 matches found
CVE-2024-8020
CVE-2024-8020 (lightning-ai/pytorch-lightning, v2.3.2) exposes a DoS through an unexpected POST to the LightningApp API at /api/v1/state. The root cause is improper handling of unexpected state values, which can crash the server. Public references describe a DoS by sending crafted JSON (e.g., sta...
CVE-2022-0845
CVE-2022-0845 affects PyTorch Lightning (repository pytorchlightning/pytorch-lightning) and is a Code Injection vulnerability present in releases prior to 1.6.0. Public descriptions indicate an injection path enabling code execution and, in some sources, exploitation of trainer configuration (e.g...
CVE-2024-5980
The CVE-2024-5980 entry describes a path-traversal vulnerability in lightning-ai/pytorch-lightning v2.2.4 exposed via the /v1/runs API endpoint. When the LightningApp runs with the plugin_server, malicious tar.gz plugins can embed arbitrary files using path traversal, allowing writes to arbitrary...
CVE-2021-4118
CVE-2021-4118 affects pytorch-lightning and is described as a Deserialization of Untrusted Data vulnerability. The CVSS3 data in the records indicates a HIGH impact on confidentiality, integrity, and availability with a LOCAL attack vector, LOW attack complexity, no privileges required, and USER ...
CVE-2024-8019
Lightning AI PyTorch Lightning 2.3.2 exposes a vulnerable LightningApp on Windows via /api/v1/upload_file/. An attacker can write/overwrite arbitrary files by crafting a filename, potentially enabling remote code execution (RCE) and compromising integrity and availability (CVSS 3.1/3.0: 9.1). Aff...
CVE-2024-5452
CVE-2024-5452 affects lightning-ai/pytorch-lightning (v2.2.1) and arises from insecure deserialization via deepdiff.Delta, where dunder attributes can be manipulated to bypass whitelists and cause arbitrary attribute writes, yielding remote code execution (RCE) on self-hosted PyTorch Lightning ap...
CVE-2026-44484
PyTorch Lightning PyPI package versions 2.6.2 and 2.6.3 have been compromised, introducing functionality consistent with a credential harvesting mechanism. This is reflected across CVE-2026-44484 and associated advisories (GHSA-w37p-236h-pfx3; OSV). The root cause is under investigation; affected...
CVE-2026-31221
PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() (and related checkpoint loading paths) call torch.load() without weights_only=True, allowing deserialization of ...