CVE-2024-8019

CVE-2024-8019 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) affecting lightning-ai/pytorch-lightning version 2.3.2, specifically in the LightningApp component when running on a Windows host. The issue resides in the /api/v1/upload_file/ endpoint, which allows attackers to write or overwrite arbitrary files by supplying a crafted filename. This flaw, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), can enable potential remote code execution (RCE) through the placement of malicious files in sensitive locations or overwriting of critical system files.

The vulnerability is exploitable remotely over the network with low complexity, requiring no privileges, authentication, or user interaction. Any unauthenticated attacker with network access to the affected LightningApp instance on Windows can send a malicious request to the upload endpoint, achieving arbitrary file write or overwrite capabilities. Successful exploitation could lead to RCE, system compromise, or disruption of integrity and availability, depending on the targeted files.

Mitigation details are available in the project's GitHub repository via commit 330af381de88cff17515418a341cbc1f9f127f9a, which addresses the issue. Additional information, including bounty details, can be found on the Huntr page at https://huntr.com/bounties/2754298b-5af5-48ef-8b38-999093ddf2bd. Security practitioners should upgrade to a patched version of pytorch-lightning beyond 2.3.2 and restrict network exposure of LightningApp endpoints.

This vulnerability is particularly relevant to AI/ML workflows, as pytorch-lightning is a popular framework for scalable PyTorch training, potentially exposing ML development environments to risks during model serving or app deployment on Windows. No public evidence of real-world exploitation has been reported as of the CVE publication on 2025-03-20.