nbconvert 7.17.1 Security Update Patches Critical Path Traversal Vulnerability (CVE-2026-39377)

A critical security vulnerability in nbconvert, a core tool for converting Jupyter notebooks, has been patched. The flaw, tracked as CVE-2026-39377 (GHSA-4c99-qj7h-p3vg), allows for arbitrary file writes via path traversal in cell attachment filenames. This means a maliciously crafted notebook could be used to write files to unintended locations outside the designated output directory, posing a significant risk to systems processing untrusted notebook files.

The vulnerability resides in the `ExtractAttachmentsPreprocessor` component of nbconvert versions prior to 7.17.1. When processing a notebook, this component fails to properly sanitize attachment filenames, enabling an attacker to use path traversal sequences (like `../`) to escape the output directory. This could lead to the overwriting of critical system files or the planting of malicious scripts, depending on the permissions of the process running nbconvert. The update to version 7.17.1 directly addresses this flaw.

This patch is a mandatory update for any environment where nbconvert is used to process notebooks from untrusted sources, which is common in data science collaboration platforms, automated grading systems, and CI/CD pipelines. The vulnerability underscores the persistent security challenges in tools that handle complex, user-generated content like Jupyter notebooks, where embedded data and metadata can become attack vectors. Developers and system administrators are urged to apply the update immediately to mitigate the risk of exploitation.