Platform
python
Component
lightning-ai/pytorch-lightning
Fixed in
2.3.3
CVE-2024-5980 is an Arbitrary File Access vulnerability affecting pytorch-lightning versions up to 2.3.3. This vulnerability allows attackers to exploit path traversal within the /v1/runs API endpoint, enabling the deployment of malicious plugins that can write arbitrary files to the victim's file system. The vulnerability was published on 2024-06-27 and a fix is available in version 2.3.3.
The primary impact of CVE-2024-5980 is the potential for remote code execution (RCE). An attacker can leverage the path traversal vulnerability in the /v1/runs API to upload a malicious tar.gz plugin. This plugin, when processed by pytorch-lightning, can be crafted to write arbitrary files to any directory accessible by the LightningApp process. This could include overwriting critical system files, injecting malicious code, or gaining persistent access to the system. The blast radius extends to any system running a vulnerable pytorch-lightning instance with the plugin_server enabled, particularly those handling sensitive data or critical infrastructure.
This vulnerability is considered highly exploitable due to the ease of path traversal exploitation and the potential for RCE. While no public exploits have been widely reported, the vulnerability has been added to the CISA KEV catalog, indicating a heightened risk of exploitation. Public proof-of-concept code is likely to emerge, increasing the risk of widespread attacks. The vulnerability's impact is amplified by the popularity of pytorch-lightning within the machine learning community.
Exploit Status
EPSS
10.73% (93% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-5980 is to upgrade to pytorch-lightning version 2.3.3 or later, which contains the fix. If upgrading immediately is not feasible, consider disabling the plugin_server feature to prevent the vulnerable API endpoint from being exposed. As a temporary workaround, implement strict input validation on the /v1/runs API endpoint to prevent path traversal attempts. This could involve whitelisting allowed file extensions and validating the destination directory. Monitor system logs for suspicious file creation or modification activity.
Update the pytorch-lightning library to version 2.3.3 or higher. This fixes the path traversal vulnerability in the /v1/runs API endpoint. The update will prevent attackers from writing arbitrary files to your system.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-5980 is a CRITICAL vulnerability in pytorch-lightning versions ≤2.3.3 allowing attackers to exploit path traversal in the /v1/runs API, potentially leading to remote code execution.
You are affected if you are using pytorch-lightning versions 2.2.4 or earlier and have the plugin_server enabled.
Upgrade to pytorch-lightning version 2.3.3 or later. If immediate upgrade is not possible, disable the plugin_server.
While no widespread exploitation has been confirmed, the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.
Refer to the pytorch-lightning security advisory: [https://lightning.ai/blog/security-update-cve-2024-5980](https://lightning.ai/blog/security-update-cve-2024-5980)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.