CVE-2025-51481

Medium CVSS 6.6

Overview

Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.

CWE: CWE-22 Published: 2025-07-22T17:15:33.543

Risk analysis

This vulnerability is rated 🟡 MEDIUM.

CVSS: 6.6 (MEDIUM)
Detected tags: lfi, path (tag impact: MODERATE)

Recommended actions:

Normalize paths, use allowlists; block user-controlled file paths.
Canonicalize path; block `..` traversal; use allowlists.

Overview

Recommended tools

Tags