High severityNVD Advisory· Published Dec 23, 2021· Updated Aug 3, 2024
Deserialization of Untrusted Data in pytorchlightning/pytorch-lightning
CVE-2021-4118
Description
pytorch-lightning is vulnerable to Deserialization of Untrusted Data
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pytorch-lightningPyPI | < 1.6.0 | 1.6.0 |
Affected products
1- Range: unspecified
Patches
162f1e82e032eFix CVE-2020-1747 and CVE-2020-14343 (#11099)
4 files changed · +4 −6
CHANGELOG.md+2 −2 modified@@ -293,10 +293,10 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). ### Fixed -- Fixed a bug to disable logging hyperparameters in logger if there are no hparams ([#11105](https://github.com/PyTorchLightning/pytorch-lightning/issues/11105)) +- Fixed security vulnerabilities CVE-2020-1747 and CVE-2020-14343 caused by the `PyYAML` dependency ([#11099](https://github.com/PyTorchLightning/pytorch-lightning/pull/11099)) -- +- Fixed a bug to disable logging hyperparameters in logger if there are no hparams ([#11105](https://github.com/PyTorchLightning/pytorch-lightning/issues/11105)) - Avoid the deprecated `onnx.export(example_outputs=...)` in torch 1.10 ([#11116](https://github.com/PyTorchLightning/pytorch-lightning/pull/11116))
pytorch_lightning/core/saving.py+1 −1 modified@@ -344,7 +344,7 @@ def load_hparams_from_yaml(config_yaml: str, use_omegaconf: bool = True) -> Dict return {} with fs.open(config_yaml, "r") as fp: - hparams = yaml.load(fp, Loader=yaml.UnsafeLoader) + hparams = yaml.full_load(fp) if _OMEGACONF_AVAILABLE: if use_omegaconf:
requirements.txt+1 −1 modified@@ -4,7 +4,7 @@ numpy>=1.17.2 torch>=1.7.* future>=0.17.1 # required for builtins in setup.py tqdm>=4.41.0 -PyYAML>=5.1 +PyYAML>=5.4 fsspec[http]>=2021.05.0, !=2021.06.0 tensorboard>=2.2.0 torchmetrics>=0.4.1
tests/loggers/test_csv.py+0 −2 modified@@ -12,7 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. import os -from argparse import Namespace from unittest.mock import MagicMock import pytest @@ -95,7 +94,6 @@ def test_file_logger_log_hyperparams(tmpdir): "bool": True, "dict": {"a": {"b": "c"}}, "list": [1, 2, 3], - "namespace": Namespace(foo=Namespace(bar="buzz")), "layer": torch.nn.BatchNorm1d, } logger.log_hyperparams(hparams)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-2vj5-px25-gjrpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-4118ghsaADVISORY
- github.com/PyTorchLightning/pytorch-lightning/issues/11045ghsaWEB
- github.com/PyTorchLightning/pytorch-lightning/pull/11099ghsaWEB
- github.com/PyTorchLightning/pytorch-lightning/releases/tag/1.6.0ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pytorch-lightning/PYSEC-2021-874.yamlghsaWEB
- github.com/pytorchlightning/pytorch-lightning/commit/62f1e82e032eb16565e676d39e0db0cac7e34aceghsax_refsource_MISCWEB
- huntr.dev/bounties/31832f0c-e5bb-4552-a12c-542f81f111e6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.