Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
6Blast Radius
ecosystem impact- 15 pypi packages depend on nbconvert (14 direct, 1 indirect)
Ecosystem-wide dependent count for version 6.5.0.
DescriptionGitHub Advisory
The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. In versions 6.5 through 7.17.0, when HTMLExporter.embed_images=True, nbconvert's markdown renderer allows arbitrary file read via path traversal in image references. A malicious notebook can exfiltrate sensitive files from the conversion host by embedding them as base64 data URIs in the output HTML. nbconvert 7.17.1 contains a fix. As a workaround, do not enable HTMLExporter.embed_images; it is not enabled by default.
AnalysisAI
Jupyter nbconvert 6.5 through 7.17.0 allows unauthenticated remote attackers to read arbitrary files from the conversion host when HTMLExporter.embed_images is enabled, by embedding malicious image references with path traversal sequences in a crafted notebook. A malicious actor can exfiltrate sensitive files as base64-encoded data URIs in the output HTML, achieving confidentiality breach with no integrity or availability impact. Vendor-released patch: version 7.17.1.
Technical ContextAI
nbconvert is a Jupyter utility that converts notebook files (.ipynb) to multiple output formats (HTML, PDF, Markdown, etc.) using Jinja2 templating. When the HTMLExporter.embed_images feature is enabled, image references within notebooks are processed by the markdown renderer and embedded directly into the output HTML as base64 data URIs. The vulnerability exists in the path resolution logic within the markdown renderer: it does not properly validate or sanitize image file paths before attempting to read them from the file system. An attacker can craft image references using path traversal sequences (e.g., ../../../etc/passwd) to escape the intended notebook directory and access sensitive files anywhere on the conversion host. The root cause is insufficient input validation of file paths (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). The affected product, identified by CPE cpe:2.3:a:jupyter:nbconvert:*:*:*:*:*:*:*:*, spans multiple versions; the vulnerability is present in all releases from 6.5 through 7.17.0.
RemediationAI
Upgrade to Jupyter nbconvert 7.17.1 or later, which contains the vendor-released fix for path traversal in image references. This is the primary remediation and should be prioritized. For organizations unable to immediately patch, disable the HTMLExporter.embed_images feature; since this feature is not enabled by default, verify your nbconvert configuration (typically in jupyter_nbconvert_config.py or equivalent) does not set c.HTMLExporter.embed_images = True. If notebooks must be converted with embedded images, restrict conversion to trusted notebooks only and perform conversion in an isolated environment (e.g., containerized or sandboxed) where sensitive files are not accessible. Implement file system access controls to limit the nbconvert process's read permissions to necessary directories only; this provides defense-in-depth but does not substitute for patching. Additional guidance is available at https://github.com/jupyter/nbconvert/releases/tag/v7.17.1.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24025
GHSA-7jqv-fw35-gmx9