Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.

Affected Packages

PyPI luigi

Affected versions: 0 (fixed in 3.6.0)

Related CVEs

CVE-2024-21542

Key Information

GHSA ID

GHSA-8qch-vj6m-2694

Published

December 10, 2024 6:31 AM

Last Modified

February 11, 2025 12:36 AM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

luigi

GitHub Reviewed

✓ Yes

Dataset

Last updated: June 14, 2025 6:24 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.