CVE-2024-5980

9.8 CRITICAL
Published: June 27, 2024 Modified: October 15, 2025
View on NVD

Description

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418a341cbc1f9f127f9a
Source: security@huntr.dev
https://huntr.com/bounties/55a6ac6f-89c7-42ea-86f3-c6e93a2679f3
Source: security@huntr.dev
Exploit Third Party Advisory
https://huntr.com/bounties/55a6ac6f-89c7-42ea-86f3-c6e93a2679f3
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Third Party Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.8 / 10.0
EPSS (Exploit Probability)
10.7%
93th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-22

Affected Vendors

lightningai

Related CVEs

CVE-2025-52691 10.0
CVE-2025-15168 7.3
CVE-2025-15167 7.3
CVE-2025-15166 7.3
CVE-2025-15165 7.3