CVE-2022-0845: PyTorch Lightning code injection

CISO Take

Any ML training pipeline running pytorch-lightning below 1.6.0 is exposed to unauthenticated remote code execution — no privileges, no user interaction required. Upgrade to 1.6.0+ immediately; treat any training host that ran the vulnerable version as potentially compromised and rotate credentials. This is especially urgent for teams that expose Jupyter notebooks, training APIs, or Lightning-based serving endpoints to internal networks.

What is the risk?

Despite CVSS 9.8, EPSS sits at 0.27%, indicating limited observed exploitation in the wild as of enrichment date. However, the attack profile (network-accessible, zero complexity, zero privileges) makes any exposed training infrastructure a high-priority target. ML environments are notoriously under-patched and often run with elevated cloud credentials attached, dramatically amplifying blast radius beyond the compromised host.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PyTorch Lightning	pip	< 1.6.0	`1.6.0`
31.2K OpenSSF 5.9 1.6K dependents Pushed 14d ago 57% patched ~373d to patch Full package profile →
PyTorch	pip	—	No patch
100.9K OpenSSF 6.4 22.7K dependents Pushed 3d ago 11% patched ~216d to patch Full package profile →

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

1.0%

chance of exploitation in 30 days

Higher than 57% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch

Upgrade pytorch-lightning to >= 1.6.0 immediately. Pin the version in requirements.txt and lock files.
Audit exposure

Identify any pytorch-lightning processes or APIs reachable over the network — training orchestrators, REST wrappers, Jupyter kernels with Lightning installed.
Assume breach if unpatched

Rotate all credentials (cloud IAM, API keys, database passwords) accessible from affected training hosts.
Network controls

Training infrastructure should not be directly internet-accessible; enforce egress filtering and segment training environments from production.
Detection

Review logs for unexpected subprocess spawns, outbound connections, or new user accounts created from training processes.
Dependency scanning

Integrate pip-audit or Safety into CI/CD to catch vulnerable ML library versions before deployment.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain deployment of AI are evaluated and monitored

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-0845?

Any ML training pipeline running pytorch-lightning below 1.6.0 is exposed to unauthenticated remote code execution — no privileges, no user interaction required. Upgrade to 1.6.0+ immediately; treat any training host that ran the vulnerable version as potentially compromised and rotate credentials. This is especially urgent for teams that expose Jupyter notebooks, training APIs, or Lightning-based serving endpoints to internal networks.

Is CVE-2022-0845 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-0845, increasing the risk of exploitation.

How to fix CVE-2022-0845?

1. **Patch**: Upgrade pytorch-lightning to >= 1.6.0 immediately. Pin the version in requirements.txt and lock files. 2. **Audit exposure**: Identify any pytorch-lightning processes or APIs reachable over the network — training orchestrators, REST wrappers, Jupyter kernels with Lightning installed. 3. **Assume breach if unpatched**: Rotate all credentials (cloud IAM, API keys, database passwords) accessible from affected training hosts. 4. **Network controls**: Training infrastructure should not be directly internet-accessible; enforce egress filtering and segment training environments from production. 5. **Detection**: Review logs for unexpected subprocess spawns, outbound connections, or new user accounts created from training processes. 6. **Dependency scanning**: Integrate pip-audit or Safety into CI/CD to catch vulnerable ML library versions before deployment.

What systems are affected by CVE-2022-0845?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps pipelines, model serving, experiment tracking integrations.

What is the CVSS score for CVE-2022-0845?

CVE-2022-0845 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.96%.

What is the AI security impact?

Affected AI Architectures

training pipelinesMLOps pipelinesmodel servingexperiment tracking integrations

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Article 15

ISO 42001: A.6.1.4

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05

What are the technical details?

Original Advisory

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

Exploitation Scenario

An adversary identifies an organization's ML training API or exposed Jupyter notebook running pytorch-lightning < 1.6.0. By crafting a malicious payload — for example, embedding injected Python code in a model checkpoint path or trainer configuration parameter — the attacker triggers code execution within the Lightning training process. Since training environments typically run with broad IAM permissions to access S3 buckets, GPU clusters, or secrets managers, the attacker immediately pivots to exfiltrate model weights, training data, and cloud credentials. In a distributed training scenario, lateral movement to other training nodes is trivial. The entire ML supply chain — from data to model — is compromised without any phishing or social engineering.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection')

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.