Lightning-AI PyTorch Lightning Arbitrary File Write Vulnerability in LightningApp on Windows

A vulnerability in Lightning-AI PyTorch Lightning version 2.3.2 allows arbitrary file write or overwrite actions when the LightningApp is run on a Windows host. This issue is present in the '/api/v1/upload_file/' endpoint, where an attacker can manipulate the filename to write to or replace files in sensitive locations, potentially leading to remote code execution. The vulnerability arises from improper handling of file upload requests, allowing for directory traversal and exploitation of the Windows file system.

Impact

Exploitation of this vulnerability could allow an attacker to overwrite critical files or place malicious files in sensitive locations, with the potential for remote code execution by, for example, overwriting a Python file or a Jinja2 template, writing a file to the user's Startup folder, or placing a .pth file in the Python site-packages folder.

Reproduction

To reproduce this vulnerability, upload a file through the '/api/v1/upload_file/' endpoint using a crafted filename that includes directory traversal sequences. The file will be written to the specified location, such as the Desktop.

Remediation

Users can update to Lightning-AI PyTorch Lightning version 2.3.3 or later, where this vulnerability has been fixed.