CVE-2024-5452 – RCE via Property/Class Pollution in lightning-ai/pytorch-lightning

https://notcve.org/view.php?id=CVE-2024-5452

06 Jun 2024 — A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist an... • https://github.com/XiaomingX/cve-2024-5452-poc • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes •