PT-2025-30442 · Dagster · Dagster

Geckosecurity

·

Published

2025-07-22

·

Updated

2025-07-22

·

CVE-2025-51481

CVSS v3.1

6.6

Medium

VectorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L
Name of the Vulnerable Software and Affected Versions Dagster version 1.10.14
Description A local file inclusion issue exists in the dagster. grpc.impl.get notebook data function. Attackers with access to the gRPC server can read arbitrary files by providing path traversal sequences in the notebook path field of ExternalNotebookData requests, bypassing the intended extension-based check.
Recommendations Update to a newer version that contains a fix for this issue. As a temporary workaround, restrict access to the gRPC server to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2025-51481
GHSA-H7X8-JV97-FVVM
PYSEC-2025-102

Affected Products

Dagster