CVE-2024-8019 – This vulnerability in PyTorch Lightning's Light... (How to Fix)

📋 TL;DR

This vulnerability in PyTorch Lightning's LightningApp allows attackers to write arbitrary files via a crafted filename at the /api/v1/upload_file/ endpoint on Windows hosts. This can lead to remote code execution by overwriting critical files or placing malicious executables. Users running PyTorch Lightning 2.3.2 on Windows with LightningApp exposed are affected.

💻 Affected Systems

Products:

lightning-ai/pytorch-lightning

Versions: 2.3.2 specifically

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects LightningApp component when running on Windows. Linux/macOS systems are not vulnerable.

📦 What is this software?

Pytorch Lightning by Lightningai

View all CVEs affecting Pytorch Lightning →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

File system corruption, service disruption, or limited code execution depending on attacker's file placement.

🟢

If Mitigated

Denial of service through file overwrites if critical files are protected but writable locations exist.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via HTTP API and requires no authentication.

🏢 Internal Only: MEDIUM - Still significant risk if internal attackers exist, but reduced exposure surface.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request with crafted filename parameter. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.3 or later

Vendor Advisory: https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418a341cbc1f9f127f9a

Restart Required: Yes

Instructions:

1. Update PyTorch Lightning: pip install --upgrade pytorch-lightning>=2.3.3
2. Restart any running LightningApp instances
3. Verify version with: python -c "import pytorch_lightning; print(pytorch_lightning.__version__)"

🔧 Temporary Workarounds

Disable vulnerable endpoint

all

Remove or block access to /api/v1/upload_file/ endpoint

# Configure web server (nginx example)
location /api/v1/upload_file/ { return 403; }
# Application-level disable if configurable

Migrate to Linux/macOS

all

Deploy LightningApp on non-Windows operating systems

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to LightningApp API endpoints
Deploy web application firewall (WAF) with file upload protection and path traversal detection rules

🔍 How to Verify

Check if Vulnerable:

Check if running PyTorch Lightning 2.3.2 on Windows with LightningApp accessible

Check Version:

python -c "import pytorch_lightning; print(pytorch_lightning.__version__)"

Verify Fix Applied:

Confirm version is 2.3.3+ and test file upload endpoint with path traversal attempts

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /api/v1/upload_file/ with suspicious filenames containing ../ or absolute paths
File creation/modification in unexpected system locations

Network Indicators:

Unusual file upload patterns to the API endpoint
Multiple failed upload attempts with path traversal patterns

SIEM Query:

source="web_logs" AND uri_path="/api/v1/upload_file/" AND (filename="*../*" OR filename="*:*" OR filename="*\\*" OR filename="*/*")

📊 Metadata

CVE ID: CVE-2024-8019

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CWE: CWE-434

EPSS Score: 0.98% exploit probability (76.3th percentile)

Published: March 20, 2025

Last Updated: August 1, 2025

🔗 References

https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418a341cbc1f9f127f9a Patch
https://huntr.com/bounties/2754298b-5af5-48ef-8b38-999093ddf2bd Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8019, you might also want to check these: