PYSEC-2025-102
Vulnerability from pysec - Published: 2025-07-22 17:15 - Updated: 2026-06-04 17:40
VLAI
Details
Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.
Severity
6.6 (Medium)
Impacted products
| Name | purl | dagster-ge | pkg:pypi/dagster-ge |
|---|
Aliases
{
"affected": [
{
"ecosystem_specific": {},
"package": {
"ecosystem": "PyPI",
"name": "dagster-ge",
"purl": "pkg:pypi/dagster-ge"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.10.14"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.10.0",
"0.10.0rc0",
"0.10.1",
"0.10.1rc0",
"0.10.2",
"0.10.2rc0",
"0.10.3",
"0.10.3rc0",
"0.10.4",
"0.10.4rc0",
"0.10.5",
"0.10.5rc0",
"0.10.6",
"0.10.6rc0",
"0.10.7",
"0.10.7rc0",
"0.10.8",
"0.10.8rc0",
"0.10.9",
"0.11.0",
"0.11.0rc0",
"0.11.1",
"0.11.10",
"0.11.10rc0",
"0.11.10rc1",
"0.11.10rc2",
"0.11.11",
"0.11.11rc1",
"0.11.11rc5",
"0.11.11rc7",
"0.11.12",
"0.11.12rc0",
"0.11.12rc2",
"0.11.12rc3",
"0.11.13",
"0.11.13rc2",
"0.11.13rc3",
"0.11.13rc5",
"0.11.14",
"0.11.14rc0",
"0.11.14rc1",
"0.11.14rc2",
"0.11.14rc3",
"0.11.14rc4",
"0.11.14rc5",
"0.11.14rc7",
"0.11.14rc8",
"0.11.15",
"0.11.15rc0",
"0.11.15rc1",
"0.11.16",
"0.11.16rc10",
"0.11.16rc18",
"0.11.1rc0",
"0.11.2",
"0.11.2rc0",
"0.11.3",
"0.11.3rc0",
"0.11.4",
"0.11.4rc0",
"0.11.5",
"0.11.5rc0",
"0.11.5rc1",
"0.11.6",
"0.11.6rc11",
"0.11.6rc13",
"0.11.6rc14",
"0.11.6rc15",
"0.11.6rc16",
"0.11.6rc17",
"0.11.6rc18",
"0.11.6rc19",
"0.11.6rc20",
"0.11.6rc21",
"0.11.6rc22",
"0.11.6rc23",
"0.11.6rc24",
"0.11.6rc25",
"0.11.6rc26",
"0.11.6rc27",
"0.11.6rc28",
"0.11.6rc29",
"0.11.6rc31",
"0.11.6rc32",
"0.11.6rc5",
"0.11.6rc7",
"0.11.6rc8",
"0.11.6rc9",
"0.11.7",
"0.11.7rc1",
"0.11.7rc10",
"0.11.7rc13",
"0.11.7rc14",
"0.11.7rc2",
"0.11.7rc3",
"0.11.7rc4",
"0.11.7rc6",
"0.11.7rc7",
"0.11.7rc8",
"0.11.7rc9",
"0.11.8",
"0.11.8rc4",
"0.11.8rc5",
"0.11.9",
"0.11.9rc10",
"0.11.9rc11",
"0.11.9rc12",
"0.11.9rc6",
"0.11.9rc7",
"0.11.9rc8",
"0.12.0",
"0.12.0rc0",
"0.12.1",
"0.12.10",
"0.12.10rc0",
"0.12.10rc1",
"0.12.11",
"0.12.11rc0",
"0.12.12",
"0.12.12rc0",
"0.12.13",
"0.12.13rc0",
"0.12.14",
"0.12.14rc0",
"0.12.14rc1",
"0.12.14rc2",
"0.12.15",
"0.12.15rc2",
"0.12.1rc0",
"0.12.2",
"0.12.2rc0",
"0.12.3",
"0.12.3rc1",
"0.12.4",
"0.12.4rc0",
"0.12.4rc1",
"0.12.5",
"0.12.5rc0",
"0.12.6",
"0.12.6rc0",
"0.12.7",
"0.12.7rc0",
"0.12.8",
"0.12.8rc0",
"0.12.9",
"0.12.9rc0",
"0.12.9rc1",
"0.12.9rc2",
"0.13.0",
"0.13.0rc0",
"0.13.1",
"0.13.10",
"0.13.10rc3",
"0.13.11",
"0.13.11rc0",
"0.13.12",
"0.13.12rc2",
"0.13.13",
"0.13.13rc0",
"0.13.14",
"0.13.14rc0",
"0.13.15",
"0.13.15rc0",
"0.13.16",
"0.13.16rc0",
"0.13.17",
"0.13.17rc0",
"0.13.18",
"0.13.18rc0",
"0.13.19",
"0.13.19rc2",
"0.13.1rc0",
"0.13.2",
"0.13.2rc0",
"0.13.2rc2",
"0.13.3",
"0.13.3rc0",
"0.13.4",
"0.13.4rc0",
"0.13.5",
"0.13.5rc0",
"0.13.6",
"0.13.6rc0",
"0.13.7",
"0.13.7rc0",
"0.13.8",
"0.13.8rc0",
"0.13.9",
"0.13.9rc0",
"0.14.0",
"0.14.0rc0",
"0.14.1",
"0.14.10",
"0.14.11",
"0.14.12",
"0.14.13",
"0.14.14",
"0.14.15",
"0.14.16",
"0.14.16rc2",
"0.14.16rc3",
"0.14.16rc4",
"0.14.17",
"0.14.17rc10",
"0.14.17rc3",
"0.14.17rc4",
"0.14.17rc5",
"0.14.17rc6",
"0.14.17rc7",
"0.14.17rc8",
"0.14.18",
"0.14.18rc2",
"0.14.18rc3",
"0.14.18rc4",
"0.14.18rc5",
"0.14.18rc6",
"0.14.19",
"0.14.1rc0",
"0.14.2",
"0.14.20",
"0.14.20rc0",
"0.14.21rc0",
"0.14.2rc0",
"0.14.3",
"0.14.3rc0",
"0.14.4",
"0.14.4rc0",
"0.14.5",
"0.14.5rc0",
"0.14.6",
"0.14.6rc0",
"0.14.7",
"0.14.7rc0",
"0.14.8",
"0.14.8rc1",
"0.14.9",
"0.14.9rc0",
"0.15.0",
"0.15.1",
"0.15.10",
"0.15.2",
"0.15.3",
"0.15.4",
"0.15.5",
"0.15.6",
"0.15.7",
"0.15.8",
"0.15.9",
"0.16.0",
"0.16.0rc2",
"0.16.1",
"0.16.10",
"0.16.11",
"0.16.12",
"0.16.13",
"0.16.14",
"0.16.15",
"0.16.16",
"0.16.17",
"0.16.2",
"0.16.3",
"0.16.4",
"0.16.6",
"0.16.7",
"0.16.8",
"0.16.9",
"0.17.1",
"0.17.10",
"0.17.11",
"0.17.12",
"0.17.13",
"0.17.14",
"0.17.15",
"0.17.16",
"0.17.17",
"0.17.17rc0",
"0.17.18",
"0.17.19",
"0.17.2",
"0.17.20",
"0.17.21",
"0.17.3",
"0.17.4",
"0.17.5",
"0.17.6",
"0.17.7",
"0.17.8",
"0.17.9",
"0.18.0",
"0.18.1",
"0.18.2",
"0.18.3",
"0.18.4",
"0.18.5",
"0.18.6",
"0.18.7",
"0.19.0",
"0.19.1",
"0.19.10",
"0.19.11",
"0.19.12",
"0.19.13",
"0.19.14",
"0.19.14rc1",
"0.19.14rc2",
"0.19.2",
"0.19.3",
"0.19.4",
"0.19.5",
"0.19.6",
"0.19.7",
"0.19.8",
"0.19.9",
"0.19.9rc0",
"0.20.0",
"0.20.1",
"0.20.10",
"0.20.11",
"0.20.12",
"0.20.13",
"0.20.13rc0",
"0.20.13rc1",
"0.20.14",
"0.20.15",
"0.20.16",
"0.20.17",
"0.20.2",
"0.20.3",
"0.20.4",
"0.20.5",
"0.20.6",
"0.20.7",
"0.20.8",
"0.20.9",
"0.21.0",
"0.21.1",
"0.21.10",
"0.21.11",
"0.21.12",
"0.21.13",
"0.21.14",
"0.21.14rc0",
"0.21.2",
"0.21.3",
"0.21.4",
"0.21.5",
"0.21.6",
"0.21.7",
"0.21.8",
"0.21.9",
"0.22.0",
"0.22.1",
"0.22.10",
"0.22.11",
"0.22.12",
"0.22.13",
"0.22.14",
"0.22.2",
"0.22.3",
"0.22.4",
"0.22.5",
"0.22.6",
"0.22.7",
"0.22.8",
"0.22.9",
"0.23.0",
"0.23.1",
"0.23.10",
"0.23.11",
"0.23.12",
"0.23.13",
"0.23.14",
"0.23.15",
"0.23.16",
"0.23.2",
"0.23.2rc1",
"0.23.2rc2",
"0.23.2rc3",
"0.23.2rc4",
"0.23.3",
"0.23.4",
"0.23.5",
"0.23.6",
"0.23.7",
"0.23.8",
"0.23.9",
"0.23.9rc0",
"0.24.0",
"0.24.1",
"0.24.10",
"0.24.11",
"0.24.12",
"0.24.13",
"0.24.2",
"0.24.3",
"0.24.4",
"0.24.5",
"0.24.6",
"0.24.7",
"0.24.8",
"0.24.9",
"0.25.0",
"0.25.1",
"0.25.10",
"0.25.11",
"0.25.12",
"0.25.13",
"0.25.2",
"0.25.3",
"0.25.4",
"0.25.4rc0",
"0.25.5",
"0.25.6",
"0.25.7",
"0.25.8",
"0.25.9",
"0.26.0",
"0.26.1",
"0.26.10",
"0.26.11",
"0.26.11rc0",
"0.26.11rc1",
"0.26.12",
"0.26.13",
"0.26.14",
"0.26.15",
"0.26.16",
"0.26.17",
"0.26.18",
"0.26.18rc0",
"0.26.18rc1",
"0.26.18rc2",
"0.26.19",
"0.26.2",
"0.26.20",
"0.26.21",
"0.26.3",
"0.26.4",
"0.26.5",
"0.26.6",
"0.26.6rc0",
"0.26.7",
"0.26.7rc0",
"0.26.8",
"0.26.9",
"0.27.0",
"0.27.1",
"0.27.10",
"0.27.11",
"0.27.12",
"0.27.13",
"0.27.14",
"0.27.15",
"0.27.16",
"0.27.2",
"0.27.3",
"0.27.4",
"0.27.5",
"0.27.6",
"0.27.7",
"0.27.8",
"0.27.9",
"0.28.0",
"0.28.1",
"0.28.10",
"0.28.11",
"0.28.12",
"0.28.13",
"0.28.13rc0",
"0.28.14",
"0.28.14rc2",
"0.28.14rc3",
"0.28.14rc4",
"0.28.15",
"0.28.15rc3",
"0.28.15rc4",
"0.28.16",
"0.28.16rc1",
"0.28.17",
"0.28.17rc0",
"0.28.18",
"0.28.19",
"0.28.2",
"0.28.20",
"0.28.21",
"0.28.22",
"0.28.3",
"0.28.4",
"0.28.5",
"0.28.6",
"0.28.7",
"0.28.8",
"0.28.9",
"0.29.0",
"0.29.1",
"0.29.2",
"0.29.3",
"0.29.4",
"0.29.5",
"0.29.5rc0",
"0.3.0",
"0.3.0.post2",
"0.3.0.post3",
"0.3.3.post1",
"0.3.4",
"0.3.5",
"0.4.0",
"0.4.0rc2",
"0.4.3",
"0.4.3.post2",
"0.4.3.post4",
"0.4.3rc1",
"0.5.0",
"0.5.0rc0",
"0.5.0rc2",
"0.5.0rc3",
"0.5.0rc4",
"0.5.1",
"0.5.1rc0",
"0.5.2",
"0.5.2.post2",
"0.5.2.post3",
"0.5.2rc0",
"0.5.3",
"0.5.4",
"0.5.4rc0",
"0.5.5",
"0.5.5rc0",
"0.5.6",
"0.5.6rc2",
"0.5.7",
"0.5.7rc0",
"0.5.8",
"0.5.8rc0",
"0.5.9",
"0.5.9rc0",
"0.6.0",
"0.6.0.post0",
"0.6.0rc0",
"0.6.0rc1",
"0.6.1",
"0.6.1rc1",
"0.6.2",
"0.6.2rc0",
"0.6.2rc1",
"0.6.2rc2",
"0.6.3",
"0.6.3rc0",
"0.6.3rc2",
"0.6.4",
"0.6.4rc0",
"0.6.4rc3",
"0.6.5",
"0.6.5rc3",
"0.6.6",
"0.6.6rc1",
"0.6.7",
"0.6.7.post0",
"0.6.7rc0",
"0.6.8",
"0.6.8rc2",
"0.6.9",
"0.7.0",
"0.7.0rc0",
"0.7.0rc1",
"0.7.1",
"0.7.1rc0",
"0.7.2",
"0.7.2rc0",
"0.7.3",
"0.7.3rc1",
"0.8.10",
"0.8.10rc0",
"0.8.10rc1",
"0.8.10rc2",
"0.8.6",
"0.8.6rc1",
"0.8.7",
"0.8.7rc0",
"0.8.8",
"0.8.8rc0",
"0.8.9",
"0.8.9rc0",
"0.9.0",
"0.9.0rc0",
"0.9.1",
"0.9.10.post0",
"0.9.11",
"0.9.11rc0",
"0.9.12",
"0.9.12rc0",
"0.9.12rc1",
"0.9.13",
"0.9.13rc0",
"0.9.14",
"0.9.14rc0",
"0.9.15",
"0.9.15rc0",
"0.9.16",
"0.9.16rc0",
"0.9.17",
"0.9.17rc0",
"0.9.18",
"0.9.18rc0",
"0.9.19",
"0.9.19rc0",
"0.9.1rc0",
"0.9.1rc1",
"0.9.2",
"0.9.20",
"0.9.20rc0",
"0.9.21",
"0.9.21rc0",
"0.9.22",
"0.9.22.post0",
"0.9.22rc1",
"0.9.2rc0",
"0.9.3",
"0.9.3rc0",
"0.9.4",
"0.9.4rc0",
"0.9.5",
"0.9.5rc1",
"0.9.6",
"0.9.6rc0",
"0.9.7",
"0.9.7rc0",
"0.9.8",
"0.9.8rc0",
"0.9.9",
"0.9.9rc1",
"0.29.6",
"0.29.7",
"0.29.8"
]
}
],
"aliases": [
"CVE-2025-51481"
],
"details": "Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.",
"id": "PYSEC-2025-102",
"modified": "2026-06-04T17:40:20.615875Z",
"published": "2025-07-22T17:15:33.543Z",
"references": [
{
"type": "REPORT",
"url": "https://github.com/dagster-io/dagster/pull/30002"
},
{
"type": "PACKAGE",
"url": "https://github.com/dagster-io/dagster"
},
{
"type": "EVIDENCE",
"url": "https://www.gecko.security/blog/cve-2025-51481"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…