What is GHSA-h7x8-jv97-fvvm?

GHSA-h7x8-jv97-fvvm is a security advisory published by GitHub Security Advisories with Medium severity. Dagster Local File Inclusion vulnerability

Which CVE IDs does GHSA-h7x8-jv97-fvvm cover?

GHSA-h7x8-jv97-fvvm covers the following CVE IDs: CVE-2025-51481. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-h7x8-jv97-fvvm?

GHSA-h7x8-jv97-fvvm has a CVSS v3 base score of 6.6, published by GitHub Security Advisories.

Which products are affected by GHSA-h7x8-jv97-fvvm?

GHSA-h7x8-jv97-fvvm affects 1 product, including: pip/dagster:\u003c 1.10.16.

GHSA-h7x8-jv97-fvvmMediumCVSS 6.6

Dagster Local File Inclusion vulnerability

Vendor

GitHub Security Advisories

Published

July 22, 2025

Last Modified

June 5, 2026

🔗 CVE IDs covered (1)

CVE-2025-51481 →

📋 Description

Local File Inclusion in dagster._grpc.impl.get_notebook_data in Dagster 1.10.14 allows attackers with access to the gRPC server to read arbitrary files by supplying path traversal sequences in the notebook_path field of ExternalNotebookData requests, bypassing the intended extension-based check.

🎯 Affected products1

pip/dagster:< 1.10.16

🔗 References (7)

https://nvd.nist.gov/vuln/detail/CVE-2025-51481
https://github.com/dagster-io/dagster/pull/30002
https://github.com/dagster-io/dagster
https://www.gecko.security/blog/cve-2025-51481
https://github.com/dagster-io/dagster/commit/3a3cec2b51577c4970e6fc4c199cda6418c09a9d
https://github.com/pypa/advisory-database/tree/main/vulns/dagster-ge/PYSEC-2025-102.yaml
https://github.com/advisories/GHSA-h7x8-jv97-fvvm