Researchers discover undocumented parameter exploit flaw in Lightning.AI development platform

A critical remote code execution (RCE) vulnerability with a CVSS score of 9.4 was reported in Lightning.AI's development platform by researchers at Noma Security. The vulnerability was found in the platform's JavaScript code and could potentially allow attackers to gain root-level access to users' cloud studios and connected systems.

The vulnerability centeres around a hidden URL parameter called "command" that could be manipulated to execute arbitrary commands with root privileges. The attack method involved crafting malicious URLs using two key variables: PROFILE_USERNAME and STUDIO_PATH. These variables, which are publicly accessible through the Studio templates gallery, could be combined with a base64-encoded malicious command and appended to the URL.

The vulnerability enables attackers to perform Remote Code Execution with root privileges, access to AWS metadata and cloud credentials, exfiltrate sensitive data and tokens and achieve complete control over file system operations (create, modify, delete) with further lateral movement and user info compromise.

The flaw was reported on October 14, 2024 and a patch implemented by October 25, 2024.

Users don't need to take actions, but this is an excellent lesson learned for development principles:

1. Never trust user-modifiable inputs, even if hidden
2. Avoid direct execution of user-controlled inputs
3. Implement principle of least privilege in AI development environments

No formal CVE ID was requested for this vulnerability, and Lightning.AI has confirmed there is no evidence of exploitation in the wild.