9.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-8019

GHSA ID

GHSA-4cv3-v7pv-rfhf

EPSS Score

0.52023%

CWE

CWE-434

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-8019

CVE-2024-8019: PyTorch Lightning path traversal vulnerability

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the LightningApp when running on a Windows host. The vulnerability occurs at the /api/v1/upload_file/ endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

(GitHub Advisory)

9.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2024-8019

GHSA ID

GHSA-4cv3-v7pv-rfhf

EPSS Score

0.52023%

CWE

CWE-434

Published

3/20/2025

Updated

3/21/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
pytorch-lightning	pip

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly occurs in the file upload endpoint handler. The key failure is insufficient validation of user-controlled filename parameters when writing files. Though the exact code isn't shown, the advisory's description of crafted filenames leading to arbitrary writes matches classic path traversal vulnerabilities in file upload handlers. The Windows-specific context suggests improper handling of path separators. The first patched version removed LightningApp code (commit 330af38), implying the vulnerable logic resided in the app component's file upload handling.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In li**tnin*-*i/pytor**-li**tnin* v*rsion *.*.*, * vuln*r**ility *xists in t** `Li**tnin**pp` w**n runnin* on * Win*ows *ost. T** vuln*r**ility o**urs *t t** `/*pi/v*/uplo**_*il*/` *n*point, *llowin* *n *tt**k*r to writ* or ov*rwrit* *r*itr*ry *il*s

Reasoning

T** vuln*r**ility *xpli*itly o**urs in t** *il* uplo** *n*point **n*l*r. T** k*y **ilur* is insu**i*i*nt `v*li**tion` o* us*r-*ontroll** `*il*n*m*` p*r*m*t*rs w**n writin* *il*s. T*ou** t** *x**t *o** isn't s*own, t** **visory's **s*ription o* *r**t*

9.1

Basic Information

Concerned about an active attack path?

CVE-2024-8019: PyTorch Lightning path traversal vulnerability

9.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI