CVE-2024-5980

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-5980

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-5980.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2024-5980

Aliases

GHSA-mr7h-w2qc-ffc2

Published

2024-06-27T19:15:18Z

Modified

2025-07-31T03:26:13Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.

References

https://huntr.com/bounties/55a6ac6f-89c7-42ea-86f3-c6e93a2679f3

Affected packages

Git / github.com/lightning-ai/pytorch-lightning

Affected ranges

Type: GIT
Repo: https://github.com/lightning-ai/pytorch-lightning
Events: Introduced

2a46b0ccdd813d14fe7b98b631ae948450a67375

Fixed

cf348673eda662cc2e9aa71a72a19b8774f85718