Impact
The flaw stems from the use of fnmatch.fnmatchcase to enforce excluded_paths in JupyterLab Git’s GitHandler.prepare. On a case‑insensitive file system an authenticated user can alter the capitalization of a URL path and bypass the exclusion, allowing them to read files that should be protected. This is a case‑sensitivity (CWE‑178) error that jeopardizes confidentiality of potentially private repository content.
Affected Systems
The vulnerability affects the jupyterlab-git extension for JupyterLab before version 0.54.0. Any installation of jupyterlab‑git 0.53.x or earlier that relies on excluded_paths is impacted.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity of unauthorized data exposure. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an authenticated user inside a JupyterLab instance on a case‑insensitive file system altering URL path casing to read excluded directories. The vulnerability can be exploited with minimal credentials, so careful monitoring and prompt patching are recommended.
OpenCVE Enrichment
Github GHSA