Vulnerability Database

300,926

Total vulnerabilities in the database

CVE-2025-51481

Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.

Published: Jul 22, 2025
Updated: Aug 11, 2025
CVE: CVE-2025-51481
GHSA: GHSA-h7x8-jv97-fvvm
Severity: Medium
Exploit:

CVSS v3:

Severity: Unknown
Score:
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
dagster	-	1.10.16

https://github.com/dagster-io/dagster
https://github.com/dagster-io/dagster/commit/3a3cec2b51577c4970e6fc4c199cda6418c09a9d
https://github.com/dagster-io/dagster/pull/30002
https://www.gecko.security/blog/cve-2025-51481

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo