HIGH 7.5
PYSEC-2026-1857
PyTorch Lightning denial of service vulnerability
Details
A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / pytorch-lightning
Introduced in:
0 No fixed version published yet for pytorch-lightning (pip). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-8020 [ADVISORY]
- https://github.com/Lightning-AI/pytorch-lightning [PACKAGE]
- https://huntr.com/bounties/8b642a78-2b80-4fb0-9b2f-8ba0ff37db6a [WEB]
- https://pypi.org/project/pytorch-lightning [PACKAGE]
- https://github.com/advisories/GHSA-98fp-7v67-4v3q [ADVISORY]