Primary

Context

Dagster Webserver Directory Traversal Vulnerability in Logs Endpoint

Vulnerability

A directory traversal vulnerability has been identified in the Dagster webserver component, affecting versions through 1.5.11. This vulnerability allows remote attackers to access sensitive information by sending crafted requests to the /logs endpoint. The issue appears to be limited to certain file names that begin with a dot ('.').

Impact

Exploitation of this vulnerability could lead to unauthorized access to arbitrary files, including sensitive configuration files such as dagster.yaml, which may contain private information.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /logs endpoint with a crafted file path that includes directory traversal sequences (such as '..') and a file name that starts with a dot. For example, the request could be crafted to access the user's .bash_history file.

Remediation

Users can upgrade to Dagster version 1.5.11 or later, where this vulnerability has been fixed.

Added: Jul 7, 2025, 2:21 PM

Updated: Jul 7, 2025, 4:51 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.8

exploitability

8.7

remediation

0.0

relevance

0.2

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Dagster Webserver Directory Traversal Vulnerability in Logs Endpoint

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating