MEDIUM 6.6

PYSEC-2025-102

상세

Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / dagster-ge

최초 영향 버전: 0

No fixed version published yet for dagster-ge (pip). Pin to a known-safe version or switch to an alternative.

참고

https://github.com/dagster-io/dagster/pull/30002 [REPORT]
https://github.com/dagster-io/dagster [PACKAGE]
https://www.gecko.security/blog/cve-2025-51481 [EVIDENCE]