CVE-2024-5980 in pytorch-lightning
Summary
by MITRE • 06/27/2024
A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim's local file system, potentially leading to remote code execution.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/30/2025
The vulnerability identified as CVE-2024-5980 resides within the lightning-ai/pytorch-lightning framework version 2.2.4, specifically affecting the /v1/runs API endpoint when operating in plugin_server mode. This security flaw represents a critical path traversal vulnerability that enables malicious actors to exploit the system's file extraction mechanisms. The vulnerability manifests when the framework processes tar.gz plugin files through its plugin server functionality, creating a dangerous attack surface where attacker-controlled archives can be decompressed and written to arbitrary locations on the target system.
The technical implementation of this vulnerability stems from insufficient input validation and sanitization during the extraction process of compressed archives. When the LightningApp processes plugin files, it fails to properly validate the file paths contained within tar.gz archives, allowing attackers to include malicious path traversal sequences such as ../ or ../../ in their file names. This weakness directly maps to CWE-22, which describes path traversal vulnerabilities where untrusted input is used to construct file paths without proper validation. The flaw operates at the file system level, where the decompression process does not adequately restrict the destination paths of extracted files, enabling attackers to write content outside of intended directories.
The operational impact of CVE-2024-5980 extends beyond simple unauthorized file access, potentially enabling complete system compromise through remote code execution capabilities. An attacker who successfully exploits this vulnerability can write malicious files to critical system directories, including those containing executables, configuration files, or system binaries. This arbitrary file writing capability provides a pathway for privilege escalation and persistent access, as attackers can place backdoors, modified binaries, or malicious scripts in locations where the pytorch-lightning application has write permissions. The vulnerability is particularly dangerous in containerized environments or multi-tenant systems where the plugin server might be accessible to untrusted users or external parties.
Mitigation strategies for this vulnerability require immediate implementation of multiple defensive layers. Organizations should first apply the latest available patches from the pytorch-lightning project that address the path traversal flaw in the plugin extraction mechanism. System administrators must also implement strict input validation for all plugin files, including canonicalizing file paths and rejecting any entries containing path traversal sequences. Network segmentation and access controls should be enforced to limit exposure of the plugin_server functionality to trusted sources only. Additionally, monitoring and logging should be enhanced to detect suspicious file creation patterns, particularly in system directories or locations where the application is not expected to write files. The ATT&CK framework categorizes this vulnerability under T1059 for execution through command and scripting interpreter, and potentially T1078 for valid accounts usage, making comprehensive detection and response planning essential for effective defense.