AVID-2026-R1607

Description

Arbitrary File Write/Overwrite in lightning-ai/pytorch-lightning (CVE-2024-8019)

Details

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

Reason for inclusion in AVID: CVE-2024-8019 targets lightning-ai/pytorch-lightning, a core AI framework used in ML pipelines. It enables arbitrary file write/overwrite via a network endpoint, potentially enabling remote code execution. This is a software vulnerability in a component critical to building/deploying AI systems, with clear evidence (CVE entry, CVSS score, and references).

References

Affected or Relevant Artifacts

Developer: lightning-ai
Deployer: lightning-ai
Artifact Details:

Type	Name
System	lightning-ai/pytorch-lightning

Impact

AVID Taxonomy Categorization

Risk domains: Security
SEP subcategories: S0100: Software Vulnerability
Lifecycle stages: L06: Deployment

CVSS

Version	3.0
Vector String	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Base Score	9.1
Base Severity	🔴 Critical
Attack Vector	NETWORK
Attack Complexity	🟢 Low
Privileges Required	NONE
User Interaction	NONE
Scope	UNCHANGED
Confidentiality Impact	NONE
Integrity Impact	🔴 High
Availability Impact	🔴 High

CWE

ID	Description
CWE-434	CWE-434 Unrestricted Upload of File with Dangerous Type

Other information

Report Type: Advisory
Credits:
Date Reported: 2025-03-20
Version: 0.3.3
AVID Entry