CRITICAL🇵🇱 Wersja polska

CVE-2024-5980

CVSS 9.8v3.1pub. 2024-06-27upd. 2025-10-15

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.

🤖 AI Analysis
How it works

The vulnerability concerns the tar.gz file handling mechanism in the plugin server (plugin_server) within the LightningApp application. An attacker can prepare a malicious tar.gz archive containing files with paths containing path traversal sequences (e.g., '../'). When LightningApp processes such a file through the /v1/runs endpoint, malicious files are extracted outside the intended target directory and can reach arbitrary locations in the victim's file system. Placing appropriate executable or configuration files in critical locations can lead to remote code execution.

Impact

An attacker can write arbitrary files to any directory in the victim's local file system, which may lead to remote code execution (RCE) and complete system compromise.

Mitigation & patch

Apply the patch available in the vendor's repository (commit 330af381de88cff17515418a341cbc1f9f127f9a on GitHub). It is recommended to update to a version containing the specified fix. Until an update is applied, consider disabling the plugin_server feature or restricting network access to the /v1/runs endpoint.

Who is affected

lightning-ai/pytorch-lightning in version v2.2.4 when LightningApp application runs with plugin_server enabled

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lightningai Pytorch Lightning

    APP
    Lightningai
    2.2.4 – 2.3.3 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCEPath Traversal
CWE
References

Related vulnerabilities

CVE-2026-44484CRITICAL9.3PL ✓ten sam produkt

PyTorch Lightning – mechanizm harvesting poświadczeń (Embedded Malicious Code)

CVE-2024-8019CRITICAL9.1PL ✓ten sam produkt

RCE przez upload pliku w PyTorch Lightning (Windows) – CVE-2024-8019

CVE-2024-5452CRITICAL9.8PL ✓ten sam produkt

RCE w pytorch-lightning przez podatną deserializację obiektów deepdiff

CVE-2022-0845CRITICAL9.8ten sam produkt

Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0.

CVE-2026-31221HIGH7.8ten sam produkt

PyTorch-Lightning versions 2.6.0 and earlier contain an insecure deserialization vulnerability (CWE-502) in th...