Stef41

**Name of the Vulnerable Software and Affected Versions** Jupyter Server versions prior to 2.18.0 **Description** A path traversal issue in the REST API allows an authenticated user to escape the configured `root dir` and access sibling directories that share the same prefix as the `root dir`. By sending a crafted request to the '/api/contents' endpoint using encoded path components, an attacker can read, write, and delete files in these sibling directories. This is particularly critical in multi-tenant deployments using predictable naming schemes; for instance, a user with a directory named `user1` could access directories named `user10` through `user19`. Users capable of choosing single-character folder names could potentially access a larger number of sibling directories. **Recommendations** Update to version 2.18.0. As a temporary workaround, ensure folder names do not share a common prefix with any sibling directory.