logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-35225 jupyter-server-proxy

Package

Manager: pip
Name: jupyter-server-proxy
Vulnerable Version: >=3.0.0 <3.2.4 || >=4.0.0 <4.2.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00801 pctl0.73198

Details

Jupyter Server Proxy has a reflected XSS issue in host parameter ### Impact There is a reflected cross-site scripting (XSS) issue in `jupyter-server-proxy`[1]. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/<host>`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/<host>`, which runs the custom JavaScript contained in `host` set by the actor. As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. This issue exists in the latest release of `jupyter-server-proxy`, currently `v4.1.2`. **Impacted versions:** `>=3.0.0,<=4.1.2` ### Patches The patches are included in `==4.2.0` and `==3.2.4`. ### Workarounds Server operators who are unable to upgrade can disable the `jupyter-server-proxy` extension with: ``` jupyter server extension disable jupyter-server-proxy ``` ### References [1] : https://github.com/jupyterhub/jupyter-server-proxy/ [2] : https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328

Metadata

Created: 2024-06-11T21:12:47Z
Modified: 2025-02-28T17:38:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-fvcq-4x64-hqxr/GHSA-fvcq-4x64-hqxr.json
CWE IDs: ["CWE-116", "CWE-79"]
Alternative ID: GHSA-fvcq-4x64-hqxr
Finding: F008
Auto approve: 1