CVE-2022-0845 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any ML training pipeline running pytorch-lightning below 1.6.0 is exposed to unauthenticated remote code execution — no privileges, no user interaction required. Upgrade to 1.6.0+ immediately; treat any training host that ran the vulnerable version as potentially compromised and rotate credentials. This is especially urgent for teams that expose Jupyter notebooks, training APIs, or Lightning-based serving endpoints to internal networks.

Risk Assessment

Despite CVSS 9.8, EPSS sits at 0.27%, indicating limited observed exploitation in the wild as of enrichment date. However, the attack profile (network-accessible, zero complexity, zero privileges) makes any exposed training infrastructure a high-priority target. ML environments are notoriously under-patched and often run with elevated cloud credentials attached, dramatically amplifying blast radius beyond the compromised host.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch-lightning	pip	< 1.6.0	`1.6.0`
31.1K OpenSSF 5.2 1.6K dependents Pushed today 50% patched ~496d to patch Full package profile →
pytorch_lightning	pip	—	No patch
99.8K OpenSSF 6.4 21.9K dependents Pushed today 8% patched ~142d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 51% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch

Upgrade pytorch-lightning to >= 1.6.0 immediately. Pin the version in requirements.txt and lock files.
Audit exposure

Identify any pytorch-lightning processes or APIs reachable over the network — training orchestrators, REST wrappers, Jupyter kernels with Lightning installed.
Assume breach if unpatched

Rotate all credentials (cloud IAM, API keys, database passwords) accessible from affected training hosts.
Network controls

Training infrastructure should not be directly internet-accessible; enforce egress filtering and segment training environments from production.
Detection

Review logs for unexpected subprocess spawns, outbound connections, or new user accounts created from training processes.
Dependency scanning

Integrate pip-audit or Safety into CI/CD to catch vulnerable ML library versions before deployment.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain deployment of AI are evaluated and monitored

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2022-0845?

Any ML training pipeline running pytorch-lightning below 1.6.0 is exposed to unauthenticated remote code execution — no privileges, no user interaction required. Upgrade to 1.6.0+ immediately; treat any training host that ran the vulnerable version as potentially compromised and rotate credentials. This is especially urgent for teams that expose Jupyter notebooks, training APIs, or Lightning-based serving endpoints to internal networks.

Is CVE-2022-0845 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2022-0845, increasing the risk of exploitation.

How to fix CVE-2022-0845?

1. **Patch**: Upgrade pytorch-lightning to >= 1.6.0 immediately. Pin the version in requirements.txt and lock files. 2. **Audit exposure**: Identify any pytorch-lightning processes or APIs reachable over the network — training orchestrators, REST wrappers, Jupyter kernels with Lightning installed. 3. **Assume breach if unpatched**: Rotate all credentials (cloud IAM, API keys, database passwords) accessible from affected training hosts. 4. **Network controls**: Training infrastructure should not be directly internet-accessible; enforce egress filtering and segment training environments from production. 5. **Detection**: Review logs for unexpected subprocess spawns, outbound connections, or new user accounts created from training processes. 6. **Dependency scanning**: Integrate pip-audit or Safety into CI/CD to catch vulnerable ML library versions before deployment.

What systems are affected by CVE-2022-0845?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, MLOps pipelines, model serving, experiment tracking integrations.

What is the CVSS score for CVE-2022-0845?

CVE-2022-0845 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.27%.

Technical Details

NVD Description

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

Exploitation Scenario

An adversary identifies an organization's ML training API or exposed Jupyter notebook running pytorch-lightning < 1.6.0. By crafting a malicious payload — for example, embedding injected Python code in a model checkpoint path or trainer configuration parameter — the attacker triggers code execution within the Lightning training process. Since training environments typically run with broad IAM permissions to access S3 buckets, GPU clusters, or secrets managers, the attacker immediately pivots to exfiltrate model weights, training data, and cloud credentials. In a distributed training scenario, lateral movement to other training nodes is trivial. The entire ML supply chain — from data to model — is compromised without any phishing or social engineering.