AVID-2026-R1582

Description

Arbitrary File Write via /v1/runs API endpoint in lightning-ai/pytorch-lightning (CVE-2024-5980)

Details

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the plugin_server, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path traversal vulnerabilities. This can result in arbitrary files being written to any directory in the victim’s local file system, potentially leading to remote code execution.

Reason for inclusion in AVID: The CVE describes an arbitrary file write via an API endpoint in lightning-ai/pytorch-lightning (plugin_server) enabling path traversal during tar.gz plugin extraction, potentially leading to remote code execution. This is a software component used in AI pipelines and model deployments, representing a security vulnerability in the software supply chain of general-purpose AI systems (dependencies/plugins for AI frameworks). The report provides explicit signals (path traversal, tar.gz plugin abuse, RCE potential) and references, making it sufficient evidence for curation.

References

• NVD entry
• https://huntr.com/bounties/55a6ac6f-89c7-42ea-86f3-c6e93a2679f3
• https://github.com/lightning-ai/pytorch-lightning/commit/330af381de88cff17515418a341cbc1f9f127f9a

Affected or Relevant Artifacts

• Developer: lightning-ai
• Deployer: lightning-ai
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-27
• Version: 0.3.3
• AVID Entry