High severity7.5GHSA Advisory· Published Jul 7, 2025· Updated Apr 15, 2026

CVE-2023-51232

Description

Directory Traversal vulnerability in dagster-webserver Dagster thru 1.5.11 allows remote attackers to obtain sensitive information via crafted request to the /logs endpoint. This may be restricted to certain file names that start with a dot ('.').

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dagsterPyPI	< 1.5.11	1.5.11

Affected products

Dagster Io/DagsterGHSA
Range: < 1.5.11

Patches

dbb064c2ddda

fix: path traversal in logs endpoint (#18462)

https://github.com/dagster-io/dagsterr1bDec 5, 2023via ghsa

commit

2 files changed · +15 −1

python_modules/dagster/dagster/_core/storage/local_compute_log_manager.py+5 −1 modified

@@ -226,7 +226,11 @@ def get_captured_local_path(self, log_key: Sequence[str], extension: str, partia
             filename = f"{filename}.partial"
         if len(filename) > MAX_FILENAME_LENGTH:
             filename = "{}.{}".format(hashlib.md5(filebase.encode("utf-8")).hexdigest(), extension)
-        return os.path.join(self._base_dir, *namespace, filename)
+        location = os.path.join(self._base_dir, *namespace, filename)
+        location = os.path.abspath(location)
+        if not location.startswith(self._base_dir):
+            raise ValueError("Invalid path")
+        return location
 
     def subscribe(
         self, log_key: Sequence[str], cursor: Optional[str] = None

python_modules/dagster-webserver/dagster_webserver_tests/webserver/test_app.py+10 −0 modified

@@ -289,3 +289,13 @@ def test_async(test_client: TestClient):
     result = response.json()
     assert result["data"]["test"]["one"] == "slept", result
     assert result["data"]["test"]["two"] == "slept concurrently", result
+
+
+def test_download_captured_logs_not_found(test_client: TestClient):
+    response = test_client.get("/logs/does-not-exist/stdout")
+    assert response.status_code == 404
+
+
+def test_download_captured_logs_invalid_path(test_client: TestClient):
+    with pytest.raises(ValueError, match="Invalid path"):
+        test_client.get("/logs/%2e%2e/secret/txt")

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-q93c-p2mw-p23fghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-51232ghsaADVISORY
github.com/dagster-io/dagster/commit/dbb064c2ddda74265b8174edd9775e1302ca6ba0ghsaWEB
github.com/dagster-io/dagster/pull/18462nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000