Platform
python
Component
pytorch-lightning
Fixed in
1.6.0
1.6.0
CVE-2022-0845 is a critical code injection vulnerability discovered in the PyTorch Lightning GitHub repository. This flaw allows an attacker to inject and execute arbitrary code, potentially leading to complete system compromise. The vulnerability affects versions of PyTorch Lightning up to and including 1.5.10.post0, with a fix available in version 1.6.0.
The code injection vulnerability in PyTorch Lightning arises from insufficient input validation within the repository. An attacker can craft malicious code and inject it into the system, leading to remote code execution (RCE). Successful exploitation could allow an attacker to gain full control over the affected system, including access to sensitive data, modification of system configurations, and installation of malware. The potential blast radius is significant, particularly in environments where PyTorch Lightning is used for training and deploying machine learning models, as attackers could compromise the entire training pipeline and potentially inject malicious models into production.
CVE-2022-0845 was publicly disclosed on March 5, 2022. While no active exploitation campaigns have been definitively linked to this CVE, the CRITICAL severity and the potential for RCE make it a high-priority vulnerability. No public proof-of-concept exploits were immediately available, but the nature of the vulnerability suggests that such exploits could be developed relatively easily. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.27% (51% percentile)
CVSS Vector
The primary mitigation for CVE-2022-0845 is to immediately upgrade PyTorch Lightning to version 1.6.0 or later. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing stricter input validation on any user-provided data used within PyTorch Lightning workflows. While a direct WAF rule is unlikely to be effective, carefully reviewing and sanitizing any external data passed to PyTorch Lightning models can reduce the attack surface. Monitor PyTorch Lightning repositories for suspicious activity and review commit history for potentially malicious code.
Update the pytorch-lightning library to version 1.6.0 or higher. This will resolve the code injection vulnerability. You can update using pip: `pip install pytorch-lightning --upgrade`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2022-0845 is a critical code injection vulnerability affecting PyTorch Lightning versions up to 1.5.10.post0, allowing attackers to execute arbitrary code.
If you are using PyTorch Lightning versions 1.5.10.post0 or earlier, you are vulnerable to this code injection vulnerability.
Upgrade PyTorch Lightning to version 1.6.0 or later to remediate the vulnerability. Review and sanitize any external data used within PyTorch Lightning workflows.
While no confirmed active exploitation campaigns have been publicly reported, the CRITICAL severity warrants immediate attention and mitigation.
Refer to the PyTorch Lightning GitHub repository and related security advisories for the latest information: [https://github.com/pytorch/pytorch-lightning](https://github.com/pytorch/pytorch-lightning)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.