CVE-2024-21542

HIGH

Pypi Luigi < 3.6.0 - Path Traversal

Title source: rule

Description

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.

Exploits (1)

nomisec WORKING POC 1 stars

by L3ster1337 · poc

https://github.com/L3ster1337/Poc-CVE-2024-21542

View Code ZIP pw:eip

References (5)

[Various Sources] https://github.com/L3ster1337/Poc-CVE-2024-21542

[Third Party Advisory] https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489

[Patch] https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999

[Issue Tracking] https://github.com/spotify/luigi/issues/3301

[Release Notes] https://github.com/spotify/luigi/releases/tag/v3.6.0

Scores

CVSS v3 8.6

EPSS 0.1315

EPSS Percentile 94.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Details

CWE

CWE-22 CWE-29

Status published

Products (2)

n/a/luigi < 3.6.0

pypi/luigi 0 - 3.6.0PyPI

Published Dec 10, 2024

Tracked Since Feb 18, 2026