GHSA-MR7H-W2QC-FFC2

Vulnerability from github – Published: 2024-06-27 21:32 – Updated: 2025-10-15 15:48
VLAI?
Summary
pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint
Details

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.

Severity ?
9.1 (Critical)
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.3.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "lightning"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-5980"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-434"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-28T21:09:29Z",
    "nvd_published_at": "2024-06-27T19:15:18Z",
    "severity": "CRITICAL"
  },
  "details": "A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim\u0027s local file system, potentially leading to remote code execution.",
  "id": "GHSA-mr7h-w2qc-ffc2",
  "modified": "2025-10-15T15:48:48Z",
  "published": "2024-06-27T21:32:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5980"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Lightning-AI/pytorch-lightning/pull/20039"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418a341cbc1f9f127f9a"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Lightning-AI/pytorch-lightning/releases/tag/2.3.3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/lightning-ai/pytorch-lightning"
    },
    {
      "type": "WEB",
      "url": "https://huntr.com/bounties/55a6ac6f-89c7-42ea-86f3-c6e93a2679f3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "pytorch-lightning vulnerable to Arbitrary File Write via /v1/runs API endpoint"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.