VulnerableCode Package Details - pkg:pypi/pytorch-lightning@2.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-1z2t-6a26-w7c1 Aliases: CVE-2024-8020 GHSA-98fp-7v67-4v3q	A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.	2.3.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-dpzd-6sun-a7av Aliases: CVE-2026-31221 GHSA-75m9-98v2-hjpm	PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.	2.6.1 Affected by 0 other vulnerabilities.
VCID-rdkc-nx1c-uqc8 Aliases: CVE-2024-8019 GHSA-4cv3-v7pv-rfhf	In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.	2.4.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-1z2t-6a26-w7c1
Aliases:
CVE-2024-8020
GHSA-98fp-7v67-4v3q

A vulnerability in lightning-ai/pytorch-lightning version 2.3.2 allows an attacker to cause a denial of service by sending an unexpected POST request to the `/api/v1/state` endpoint of `LightningApp`. This issue occurs due to improper handling of unexpected state values, which results in the server shutting down.

2.3.3
Affected by 2 other vulnerabilities.

VCID-dpzd-6sun-a7av
Aliases:
CVE-2026-31221
GHSA-75m9-98v2-hjpm

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in the checkpoint loading mechanism. The LightningModule.load_from_checkpoint() method, which is commonly used to load saved model states, internally calls torch.load() without setting the security-restrictive weights_only=True parameter. This default behavior allows the deserialization of arbitrary Python objects via the Pickle module. A remote attacker can exploit this by providing a maliciously crafted checkpoint file, leading to arbitrary code execution on the victim's system when the file is loaded.

2.6.1
Affected by 0 other vulnerabilities.

VCID-rdkc-nx1c-uqc8
Aliases:
CVE-2024-8019
GHSA-4cv3-v7pv-rfhf

In lightning-ai/pytorch-lightning version 2.3.2, a vulnerability exists in the `LightningApp` when running on a Windows host. The vulnerability occurs at the `/api/v1/upload_file/` endpoint, allowing an attacker to write or overwrite arbitrary files by providing a crafted filename. This can lead to potential remote code execution (RCE) by overwriting critical files or placing malicious files in sensitive locations.

2.4.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T22:29:11.479801+00:00	GitLab Importer	Affected by	VCID-dpzd-6sun-a7av	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pytorch-lightning/CVE-2026-31221.yml	38.6.0
2026-06-12T19:55:43.242712+00:00	GitLab Importer	Affected by	VCID-rdkc-nx1c-uqc8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pytorch-lightning/CVE-2024-8019.yml	38.6.0
2026-06-12T19:55:19.827302+00:00	GitLab Importer	Affected by	VCID-1z2t-6a26-w7c1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/pytorch-lightning/CVE-2024-8020.yml	38.6.0