CVE-2024-5980

CRITICAL

lightning-ai/pytorch-lightning 2.2.4-2.3.2 - Path Traversal and Arbitrary File Write via Tar.gz Plugin Extraction

Title source: llm

Description

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://huntr.com/bounties/55a6ac6f-89c7-42ea-86f3-c6e93a2679f3

Patch

https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418a341cbc1f9f127f9a

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.1073

EPSS Percentile 93.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-22

Status published

Products (2)

lightningai/pytorch_lightning 2.2.4 - 2.3.3

pypi/lightning 0 - 2.3.3PyPI

Published Jun 27, 2024

Tracked Since Feb 18, 2026