GHSA-4cv3-v7pv-rfhf

Source

https://github.com/advisories/GHSA-4cv3-v7pv-rfhf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-4cv3-v7pv-rfhf/GHSA-4cv3-v7pv-rfhf.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-4cv3-v7pv-rfhf

Aliases

CVE-2024-8019

Related

CGA-m9hh-8285-jv2g

Published

2025-03-20T12:32:46Z

Modified

2026-01-30T00:51:32.222790Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H CVSS Calculator

Summary

PyTorch Lightning path traversal vulnerability

Details

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

Database specific

{
    "github_reviewed_at": "2025-03-21T21:56:03Z",
    "severity": "CRITICAL",
    "github_reviewed": true,
    "nvd_published_at": "2025-03-20T10:15:39Z",
    "cwe_ids": [
        "CWE-434"
    ]
}

References

Affected packages

PyPI / pytorch-lightning

Package

Name: pytorch-lightning; View open source insights on deps.dev
Purl: pkg:pypi/pytorch-lightning

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.4.0

Affected versions

0.*

0.0.2

0.2

0.2.2

0.2.3

0.2.4

0.2.4.1

0.2.5

0.2.5.1

0.2.5.2

0.2.6

0.3

0.3.1

0.3.2

0.3.3

0.3.4

0.3.4.1

0.3.5

0.3.6

0.3.6.1

0.3.6.3

0.3.6.4

0.3.6.5

0.3.6.6

0.3.6.7

0.3.6.8

0.3.6.9

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.5.0

0.5.1

0.5.1.2

0.5.1.3

0.5.2

0.5.2.1

0.5.3

0.5.3.1

0.5.3.2

0.5.3.3

0.6.0

0.7.1

0.7.3

0.7.5

0.7.6

0.8.1

0.8.3

0.8.4

0.8.5

0.9.0

0.10.0

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.2.0rc0

1.2.0rc1

1.2.0rc2

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.3.0rc1

1.3.0rc2

1.3.0rc3

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.7.post0

1.3.8

1.4.0rc0

1.4.0rc1

1.4.0rc2

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.5.0rc0

1.5.0rc1

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.5.7

1.5.8

1.5.9

1.5.10

1.5.10.post0

1.6.0rc0

1.6.0rc1

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.5.post0

1.7.0rc0

1.7.0rc1

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.7.7

1.8.0rc0

1.8.0rc1

1.8.0rc2

1.8.0

1.8.0.post1

1.8.1

1.8.2

1.8.3

1.8.3.post0

1.8.3.post1

1.8.3.post2

1.8.4

1.8.4.post0

1.8.5

1.8.5.post0

1.8.6

1.9.0rc0

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

2.*

2.0.0rc0

2.0.0

2.0.1

2.0.1.post0

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.9.post0

2.1.0rc0

2.1.0rc1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.2.0rc0

2.2.0

2.2.0.post0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.3.0

2.3.1

2.3.2

2.3.3

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-4cv3-v7pv-rfhf/GHSA-4cv3-v7pv-rfhf.json"