Cyber Resilience

CVE-2024-21542

Medium

Published: 10 December 2024

Published
10 December 2024
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.1421 94.5th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21542 is a medium-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Snyk (inferred from references). Its CVSS base score is 6.6 (Medium).

Operationally, ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Versions of the Luigi package prior to 3.6.0 contain a Zip Slip vulnerability that permits arbitrary file writes during archive extraction. The flaw stems from missing destination path validation inside the _extract_packages_archive function, which is tracked under CWE-29 and CWE-22 and carries a CVSS 4.0 score of 6.6.

An unauthenticated network attacker can supply a malicious archive that, when processed by the affected function, writes attacker-controlled files to arbitrary locations on the host filesystem. Successful exploitation can alter system files or configuration data, producing a high integrity impact while leaving confidentiality and availability largely unaffected.

The maintainers addressed the issue in release 3.6.0, with the corrective change committed to the repository; users are advised to upgrade to that version. A publicly available proof-of-concept exists, and the current EPSS of 0.1421 has remained flat since disclosure.

EU & UK References

Vulnerability details

Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Snyk
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References