A severe security vulnerability has been identified in the Lightning AI Studio development platform, carrying a critical CVSS score of 9.4. Security researchers from Noma have uncovered a flaw that could enable remote code execution with root privileges through the exploitation of a hidden URL parameter.

The vulnerability exists within JavaScript code that could grant unauthorized access to users’ development environments. Researchers discovered a concealed “command” parameter in user-specific URLs that accepts Base64-encoded instructions for execution on the host system. This security gap could allow attackers to:

– Execute arbitrary commands with root privileges
– Extract sensitive access tokens and user data
– Manipulate server file systems
– Gain unauthorized access to development environments

To exploit this vulnerability, attackers only need a profile username and associated Lightning AI Studio information, both of which are publicly accessible through the Studio templates gallery. The attack can be initiated by crafting a malicious link targeting a specific Studio with root permissions.

The research team, consisting of Sasi Levi, Alon Tron, and Gal Moyal, reported the vulnerability on October 14, 2024. Lightning AI promptly addressed the issue, implementing a fix by October 25.

This security incident highlights the crucial importance of protecting AI development tools and systems due to their sensitive nature and potential impact on user security.