pytorch_lightning is vulnerable to deserialization of untrusted data. The vulnerability is due to an insecure method call in load_hparams_from_yaml
function of savings.py
which allows a malicious attacker to send malicious yaml config files, leading to remote code execution.
CPE | Name | Operator | Version |
---|---|---|---|
pytorch-lightning | le | 1.5.10 | |
pytorch-lightning | le | 1.5.10 |
github.com/advisories/GHSA-2vj5-px25-gjrp
github.com/pytorchlightning/pytorch-lightning/commit/62f1e82e032eb16565e676d39e0db0cac7e34ace
github.com/PyTorchLightning/pytorch-lightning/pull/5619
huntr.dev/bounties/31832f0c-e5bb-4552-a12c-542f81f111e6
huntr.dev/bounties/31832f0c-e5bb-4552-a12c-542f81f111e6/