Lightning vulnerability CVE-2024-5980

[lukas-folle-snkeos]

Bug description

According to GHSA-mr7h-w2qc-ffc2, all latest lightning version are vulnerable. Could you please detail how you want to fix this or whether support from the community would be helpful?

What version are you seeing the problem on?

v1.8, v1.9, v2.0, v2.1, v2.2

How to reproduce the bug

No response

Error messages and logs

No response

Environment

No response

More info

No response

[lantiga]

Thanks for reaching out. This has no practical effects since no user-facing code uses this and PyTorch Lightning users are not affected, but we are taking swift action to remove the incriminated code so that scanners return a clean result.

[awaelchli]

Update: we've removed the code in question from the repo.

[kiukchung]

for those interested... here's the PR (#20039) that deletes lightning.app (code flagged in CVE-2024-5980)

[awaelchli]

A new release is available with the reported code removed: https://pypi.org/project/lightning/

To upgrade:

pip install -U lightning

No action is required for the pytorch-lightning package or the lightning-fabric package, these never had that code included.

With this, I'm closing the issue. Thanks for the help everyone.