CVEFinder.io

CVE-2024-5452

⛔ critical
🔍 Scan for this CVE
Summary

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer

Description

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.

CVSS Score
9.8
Critical
EPSS Score
56.7
Exploit Probability
Published Date
2024-06-06
First Seen: 2026-01-05
📊 Relative Risk Intelligence

This CVE is Very High Risk - more severe than 90.5% of all 328,009 vulnerabilities in our database.

#31,168
Top 10% most severe
Severity Percentile
🎯 CISA SSVC Assessment Updated: Aug 9, 2024
🔍 Exploitation Status
Poc
Proof-of-concept available
⚙️ Automatable
YES
Can be exploited automatically
💥 Technical Impact
Total
Complete system compromise possible
SSVC data provided by CISA
Last Modified 2025-10-15
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE IDs (Weakness Types)
CWE-915 CWE-913

📦 Affected Products 1

Vendor Product Status Affected Versions
lightningai pytorch_lightning Affected
< 2.3.3

🔗 References 2

https://github.com/lightning-ai/pytorch-lightning/co...
https://huntr.com/bounties/486add92-275e-4a7b-92f9-4...
Exploit Third Party Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-44484 ⛔ critical 9.8 0.1 PyTorch Lightning is a deep learning framework to pretrain and finetune AI models. Versions 2.6.2 and 2.6.2 have introdu... 2026-05-14
CVE-2026-31221 ⚠️ high 7.8 0.2 PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoi... 2026-05-12
CVE-2024-8019 ⛔ critical 9.1 1.0 In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows ... 2025-03-20
CVE-2024-8020 ⚠️ high 7.5 0.1 A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sendi... 2025-03-20
CVE-2024-5980 ⛔ critical 9.8 10.7 A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path t... 2024-06-27
CVE-2022-0845 ⛔ critical 9.8 0.3 Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. 2022-03-05
These CVEs affect the same products