Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 15 pypi packages depend on nbconvert (14 direct, 1 indirect)
Ecosystem-wide dependent count for version 6.5.0.
DescriptionGitHub Advisory
The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions 6.5 through 7.17.0 allow arbitrary file writes to locations outside the intended output directory when processing notebooks containing crafted cell attachment filenames. The ExtractAttachmentsPreprocessor passes attachment filenames directly to the filesystem without sanitization, enabling path traversal attacks. This vulnerability provides complete control over both the destination path and file extension. Version 7.17.1 contains a patch.
AnalysisAI
Arbitrary file write in Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated attackers to write files to arbitrary filesystem locations outside the intended output directory by crafting malicious cell attachment filenames in notebooks. The ExtractAttachmentsPreprocessor fails to sanitize attachment filenames, enabling path traversal that provides full control over destination paths and file extensions. Requires user interaction (opening a malicious notebook) and is patched in version 7.17.1.
Technical ContextAI
Jupyter nbconvert is a document conversion utility that transforms Jupyter Notebook files (ipynb format) into other formats using Jinja2 templating. The ExtractAttachmentsPreprocessor component handles embedded cell attachments (binary data encoded within notebook JSON) by extracting them to the filesystem during conversion. The vulnerability stems from CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, aka 'Path Traversal') in how attachment filenames are passed directly to file I/O operations without path canonicalization or basename filtering. An attacker can craft filenames containing path traversal sequences (e.g., '../../../malicious.py') to write files anywhere the nbconvert process has permissions, allowing code injection into system directories, configuration paths, or application directories.
RemediationAI
Upgrade to Jupyter nbconvert version 7.17.1 or later immediately. For organizations unable to upgrade immediately, restrict notebook processing to trusted sources only and disable the ExtractAttachmentsPreprocessor if attachment functionality is not required (via nbconvert configuration: set ExtractAttachmentsPreprocessor to disabled in jupyter_nbconvert_config.py or use --to=<format> --no-prompt flag without attachment processing). Additionally, run nbconvert with minimal filesystem permissions (dedicated user account with restricted directory access) to limit the scope of file writes. Users should avoid opening or converting untrusted notebook files until patched. The official advisory is available at https://github.com/jupyter/nbconvert/security/advisories/GHSA-4c99-qj7h-p3vg and patched release at https://github.com/jupyter/nbconvert/releases/tag/v7.17.1.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24023
GHSA-4c99-qj7h-p3vg