UsamaK98 Python-Notebook-MCP Path Traversal Vulnerability Allowing Workspace Escape

A path traversal vulnerability has been identified in UsamaK98's python-notebook-mcp application, specifically in the notebook manipulation functions of server.py. This flaw allows for absolute paths or traversal payloads to escape the initialized workspace, enabling unauthorized read or write access to notebook files outside the designated directory. The vulnerability can be exploited remotely, and although the project has been notified, no response has been received.

Impact

Exploitation of this vulnerability allows for unauthorized access to notebook files outside the initialized workspace, potential overwriting or creation of files in those locations, and could disrupt local workflows by corrupting files.

Reproduction

To reproduce this vulnerability, first initialize the workspace with a safe directory. Then, use the notebook tools to create a notebook by specifying a filepath that traverses outside the workspace directory, either by using relative traversal segments or absolute paths. After executing the command, the notebook file will be created outside the designated workspace, demonstrating the path traversal vulnerability.

Remediation

It is recommended to update the path handling logic to canonicalize paths and enforce strict boundaries within the workspace directory. Absolute paths should be rejected from untrusted inputs unless explicitly allowed, and traversal segments should be blocked after normalization. Additionally, regression tests should be added to cover absolute and traversal payloads on both Linux and Windows.