nbconvert, Arbitrary File Read via Path Traversal (Moderate)

Listen to this Post

The vulnerability exists in nbconvert when `HTMLExporter.embed_images=True` is enabled. In this mode, the markdown renderer processes image references (e.g., ![alt](path)) by reading the image file from the local filesystem and embedding its contents as a base64 data URI into the output HTML. Due to insufficient sanitization of the file path, an attacker can inject path traversal sequences like `../../../../etc/passwd` inside the image markdown tag. The renderer then reads the arbitrary file, encodes it as base64, and embeds it directly into the exported HTML page. Because the conversion process runs on the server or user’s machine, any file accessible to the nbconvert process can be exfiltrated. The attack requires a malicious Jupyter notebook that contains such crafted image references. When a victim converts that notebook with embed_images=True, the sensitive file content appears inside the generated HTML. The issue is not present when `embed_images=False` (the default). The root cause is the lack of path normalization or restriction to allowed directories before passing the path to file-reading functions. No authentication or additional privileges are needed beyond the ability to run nbconvert on a notebook. The vulnerability was fixed in nbconvert 7.17.1 by validating that the image path stays within the notebook’s directory or an explicitly allowed base path.

dailycve form (3 words max per line):

Platform: Jupyter nbconvert
Version: <7.17.1
Vulnerability: Path traversal
Severity: Moderate
date: 2026-04-21

Prediction: Patch already available

What Undercode Say:

Analytics – Attackers can exploit this in CI/CD pipelines that automatically convert untrusted notebooks. Monitoring for `embed_images=True` usage is critical.

Check if embed_images is enabled in config
grep -r "embed_images\s=\sTrue" /etc/jupyter/ ~/.jupyter/
Test for vulnerability (safe example)
echo '<img src=".../.../.../etc/passwd" alt="alt" />' > test.md && jupyter nbconvert --to html --HTMLExporter.embed_images=True test.md && grep -i "root:" test.html

Exploit:

Craft a notebook cell with ![evil](../../../../etc/passwd). When converted, the HTML contains data:image/png;base64,<base64 of /etc/passwd>. An attacker can extract the base64 blob and decode it.

Protection from this CVE:

Upgrade to nbconvert >=7.17.1. If upgrade impossible, never set HTMLExporter.embed_images=True. Use `–HTMLExporter.embed_images=False` explicitly. Sanitize notebook inputs with a trusted markdown filter before conversion.

Impact:

Arbitrary file read from the conversion host, leading to exfiltration of sensitive data (e.g., SSH keys, cloud credentials, source code). In multi-tenant JupyterHub environments, one user’s notebook can read another’s files if nbconvert runs with shared permissions.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top