CVE-2024-21542

HIGH

luigi < 3.6.0 - Arbitrary File Write via Archive Extraction

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-21542. PoCs published by L3ster1337.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2024-21542, demonstrating a Zip Slip vulnerability in the Luigi package. The exploit creates a malicious tar archive with path traversal filenames to achieve arbitrary file write, potentially leading to arbitrary code execution.

Description

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.

Exploits (1)

nomisec WORKING POC 1 stars
by L3ster1337 · poc
https://github.com/L3ster1337/Poc-CVE-2024-21542

This repository contains a functional exploit for CVE-2024-21542, demonstrating a Zip Slip vulnerability in the Luigi package. The exploit creates a malicious tar archive with path traversal filenames to achieve arbitrary file write, potentially leading to arbitrary code execution.

Classification
Working Poc 95%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: Luigi (Python package)
No auth needed
Prerequisites: Python environment with Luigi installed · Ability to pass a malicious tar archive to the vulnerable function
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.6
EPSS 0.1421
EPSS Percentile 94.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-22 CWE-29
Status published
Products (2)
n/a/luigi < 3.6.0
pypi/luigi 0 - 3.6.0PyPI
Published Dec 10, 2024
Tracked Since Feb 18, 2026