In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| pytorch-lightning(PyPI) | 0 | 2.4.0 | N/A |
CVSS Metrics
