CVE-2026-5422

Vulnerability

A path traversal vulnerability exists in jupyter-server version 2.17.0. The _get_os_path() function in jupyter_server/services/contents/fileio.py incorrectly checks the root directory boundary using startswith(root) without appending a trailing path separator. This allows sibling directories with names starting with the same prefix as root_dir to bypass the check. Furthermore, the to_os_path() function in utils.py does not strip .. from path parts, enabling traversal sequences to bypass the vulnerable check [1].

Exploitation

An attacker needs to be able to interact with the jupyter-server instance. By crafting a malicious path that includes .. sequences and a filename that shares a prefix with the intended root directory, an attacker can manipulate the path to access files outside the intended directory structure [1].

Impact

Successful exploitation allows an attacker to gain unauthorized read or write access to files located in sibling directories relative to the jupyter-server's root directory. This could lead to the exposure of sensitive data, particularly in shared hosting environments where multiple users or applications share the same server [1].

Mitigation

Jupyter-server version 2.17.0 is affected. A fix is available in later versions of jupyter-server. Users are advised to upgrade to a patched version as soon as possible. Specific patch version and release date are not detailed in the available references [1].