AI Threat Alert AI Threat Alert

CVE-2024-8019: pytorch-lightning: file upload RCE (Windows)

GHSA-4cv3-v7pv-rfhf CRITICAL CISA: TRACK*
Published March 20, 2025
CISO Take

Any Windows-hosted ML environment running pytorch-lightning's LightningApp exposes an unauthenticated file upload endpoint that allows arbitrary file writes — including overwriting Python scripts executed by the training pipeline. Upgrade to pytorch-lightning 2.4.0 immediately; if patching is delayed, block external access to the /api/v1/upload_file/ endpoint at the network perimeter. No authentication is required, making this trivially exploitable by any network-adjacent attacker.

Risk Assessment

CVSS 9.1 with no authentication, no user interaction, and network-accessible attack vector makes this severe for any team exposing LightningApp on Windows hosts. EPSS of ~1.1% indicates no confirmed active exploitation at time of publication, but the low attack complexity means weaponization is trivial. ML development environments frequently lack lateral movement controls, so a foothold here can cascade to model artifact stores, training data, and experiment tracking systems. Risk is HIGH for organizations running LightningApp-based experiment infrastructure on Windows.

Affected Systems

Package Ecosystem Vulnerable Range Patched
pytorch-lightning pip < 2.4.0 2.4.0
31.1K OpenSSF 5.2 1.6K dependents Pushed today 50% patched ~496d to patch Full package profile →

Do you use pytorch-lightning? You're affected.

Severity & Risk

CVSS 3.1
9.1 / 10
EPSS
2.1%
chance of exploitation in 30 days
Higher than 84% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I High
A High

Recommended Action

6 steps

  1. PATCH

    Upgrade pytorch-lightning to >= 2.4.0 immediately.

  2. BLOCK

    Restrict access to /api/v1/upload_file/ via WAF rule or reverse proxy ACL if running behind a gateway.

  3. ISOLATE

    Ensure LightningApp ports (default 7501) are not exposed to untrusted networks; bind to localhost if remote access is not required.

  4. DETECT

    Review web server logs for POST requests to /api/v1/upload_file/ containing path traversal sequences (../, ..\ URL-encoded variants).

  5. AUDIT

    Check recently modified .py, .pth, and .ckpt files in pytorch-lightning working directories for unauthorized changes.

  6. HARDEN

    Run LightningApp processes under a low-privilege service account with restricted filesystem write permissions.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Training Data AML.T0010.001 AML.T0018 AML.T0049 AML.T0072

Compliance Impact

This CVE is relevant to:

ISO 42001
A.6.2 - AI system security
NIST AI RMF
GOVERN 1.7 - AI risk management processes address practices for AI lifecycle security MANAGE 2.2 - Mechanisms to respond to and recover from AI risks
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-8019?

Any Windows-hosted ML environment running pytorch-lightning's LightningApp exposes an unauthenticated file upload endpoint that allows arbitrary file writes — including overwriting Python scripts executed by the training pipeline. Upgrade to pytorch-lightning 2.4.0 immediately; if patching is delayed, block external access to the /api/v1/upload_file/ endpoint at the network perimeter. No authentication is required, making this trivially exploitable by any network-adjacent attacker.

Is CVE-2024-8019 actively exploited?

No confirmed active exploitation of CVE-2024-8019 has been reported, but organizations should still patch proactively.

How to fix CVE-2024-8019?

1. PATCH: Upgrade pytorch-lightning to >= 2.4.0 immediately. 2. BLOCK: Restrict access to /api/v1/upload_file/ via WAF rule or reverse proxy ACL if running behind a gateway. 3. ISOLATE: Ensure LightningApp ports (default 7501) are not exposed to untrusted networks; bind to localhost if remote access is not required. 4. DETECT: Review web server logs for POST requests to /api/v1/upload_file/ containing path traversal sequences (../, ..\ URL-encoded variants). 5. AUDIT: Check recently modified .py, .pth, and .ckpt files in pytorch-lightning working directories for unauthorized changes. 6. HARDEN: Run LightningApp processes under a low-privilege service account with restricted filesystem write permissions.

What systems are affected by CVE-2024-8019?

This vulnerability affects the following AI/ML architecture patterns: model training pipelines, experiment tracking, ML development environments, model serving.

What is the CVSS score for CVE-2024-8019?

CVE-2024-8019 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 2.10%.

Technical Details

NVD Description

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

Exploitation Scenario

An adversary targeting an ML team's Windows-based training server identifies a LightningApp instance reachable on the internal network (e.g., via Shodan, internal pivot, or compromised VPN). They POST a multipart file upload request to /api/v1/upload_file/ with a filename crafted to traverse directories — e.g., filename='../../site-packages/lightning/app/core/app.py' — overwriting a core pytorch-lightning module with a malicious version containing a reverse shell payload. The next time any training job imports the module, the attacker gains code execution under the ML worker's OS context, with access to model artifacts, training data, credentials stored in environment variables, and cloud provider tokens used for remote storage.

Weaknesses (CWE)

CWE-434 Unrestricted Upload of File with Dangerous Type Primary

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

Timeline

Published
March 20, 2025
Last Modified
March 21, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2022-0845 9.8

pytorch-lightning: code injection enables full RCE

Same package: pytorch-lightning
HIGH CVE-2024-8020 7.5

pytorch-lightning: unauthenticated DoS crashes LightningApp

Same package: pytorch-lightning
CRITICAL CVE-2026-44484

pytorch-lightning: supply chain, credential harvesting

Same package: pytorch-lightning
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
Back to Threat Feed