Cyber Resilience

CVE-2024-39903

High

Published: 12 July 2024

Published
12 July 2024
Modified
10 April 2025
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.5303 98.0th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-39903 is a high-severity Path Traversal (CWE-22) vulnerability in Widgetti Solara. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Solara, a pure Python React-style framework for scaling Jupyter and web applications, contains a local file inclusion vulnerability in versions prior to 1.35.1. The flaw, tracked as CVE-2024-39903 and assigned CWE-22, stems from insufficient validation of URI fragments for directory traversal sequences such as '../' during static file serving, allowing unauthorized access to the underlying file system.

An unauthenticated remote attacker can exploit the issue over the network by crafting requests that manipulate the fragment portion of a URI. Successful exploitation yields high confidentiality impact through arbitrary file reads, along with limited integrity and availability effects, corresponding to the reported CVSS 3.1 score of 8.6.

The vulnerability was addressed in release 1.35.1 via commit df2fd66a7f4e8ffd36e8678697a8a4f76760dc54, as documented in GitHub Security Advisory GHSA-9794-pc4r-438w. Practitioners should upgrade affected installations and review the advisory for patch details.

The associated EPSS score stands at 0.5303 with no indicated increase from its peak value.

EU & UK References

Vulnerability details

Solara is a pure Python, React-style framework for scaling Jupyter and web apps. A Local File Inclusion (LFI) vulnerability was identified in widgetti/solara, in version <1.35.1, which was fixed in version 1.35.1. This vulnerability arises from the application's failure to…

more

properly validate URI fragments for directory traversal sequences such as '../' when serving static files. An attacker can exploit this flaw by manipulating the fragment part of the URI to read arbitrary files on the local file system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

widgetti
solara
≤ 1.35.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References