Critical severityNVD Advisory· Published Mar 5, 2022· Updated Aug 2, 2024
Code Injection in pytorchlightning/pytorch-lightning
CVE-2022-0845
Description
Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pytorch-lightningPyPI | < 1.6.0 | 1.6.0 |
Affected products
1- Range: unspecified
Patches
18b7a12c52e52Replace `eval()` with `ast.literal_eval()` for security (#12212)
2 files changed · +6 −1
CHANGELOG.md+4 −0 modified@@ -663,9 +663,13 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/). - Fixed an issue where `HorovodStrategy.teardown()` did not complete gracefully if an exception was thrown during callback setup [#11752](https://github.com/PyTorchLightning/pytorch-lightning/pull/11752) + - Fixed security vulnerabilities CVE-2020-1747 and CVE-2020-14343 caused by the `PyYAML` dependency ([#11099](https://github.com/PyTorchLightning/pytorch-lightning/pull/11099)) +- Fixed security vulnerability "CWE-94: Improper Control of Generation of Code (Code Injection)" ([#12212](https://github.com/PyTorchLightning/pytorch-lightning/pull/12212)) + + - Fixed logging on `{test,validation}_epoch_end` with multiple dataloaders ([#11132](https://github.com/PyTorchLightning/pytorch-lightning/pull/11132))
pytorch_lightning/utilities/argparse.py+2 −1 modified@@ -17,6 +17,7 @@ import os from abc import ABC from argparse import _ArgumentGroup, ArgumentParser, Namespace +from ast import literal_eval from contextlib import suppress from functools import wraps from typing import Any, Callable, cast, Dict, List, Tuple, Type, TypeVar, Union @@ -121,7 +122,7 @@ def parse_env_variables(cls: Type["pl.Trainer"], template: str = "PL_%(cls_name) # todo: specify the possible exception with suppress(Exception): # converting to native types like int/float/bool - val = eval(val) + val = literal_eval(val) env_args[arg_name] = val return Namespace(**env_args)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-r5qj-cvf9-p85hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0845ghsaADVISORY
- github.com/PyTorchLightning/pytorch-lightning/pull/12212ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/pytorch-lightning/PYSEC-2022-181.yamlghsaWEB
- github.com/pytorchlightning/pytorch-lightning/commit/8b7a12c52e52a06408e9231647839ddb4665e8aeghsax_refsource_MISCWEB
- huntr.dev/bounties/a795bf93-c91e-4c79-aae8-f7d8bda92e2aghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.