Main Vulnerability Database SB2025032188

SB2025032188 - Arbitrary file overwrite in Spotify luigi

Published: March 21, 2025

Security Bulletin ID SB2025032188

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) External Control of File Name or Path (CVE-ID: CVE-2024-21542)

The vulnerability allows a remote attacker to overwrite arbitrary files on the system.

The vulnerability exists due to improper validation of file names when unpacking them from an archive in the _extract_packages_archive() function. A remote attacker can pass a specially crafted archive to the application and overwrite arbitrary files on the system (a.k.a. Zip Slip vulnerability).

Remediation

Install update from vendor's website.

References

https://github.com/spotify/luigi/commit/b5d1b965ead7d9f777a3216369b5baf23ec08999
https://github.com/spotify/luigi/issues/3301
https://github.com/spotify/luigi/releases/tag/v3.6.0
https://security.snyk.io/vuln/SNYK-PYTHON-LUIGI-7830489