Fluid Attacks Database

Description

Jupyter Server has an open redirection vulnerability in next query parameter

Summary

The ?next=... URL query parameter has an open redirection vulnerability. In jupyter_server<=2.17.0, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users.

Details

The vulnerability is caused by insufficient validation in the LoginFormHandler._redirect_safe() method.

Source code reference: https://github.com/jupyter-server/jupyter_server/blob/987ebdd5e188cdc49751b01a0d6782d686492a53/jupyter_server/auth/login.py#L33-L76

This vulnerability was originally reported by Noriaki Iwasaki. All discovery credit goes to them.

PoC

Navigate to http://localhost:8888/login?next=///google.com

Observe that the user is redirected to google.com despite it being an external domain.

The external domain passed in the ?next parameter may be replaced with a malicious lookalike to facilitate phishing attacks. Jupyter Server deployments served on a public domain are especially vulnerable, as prod.company.com may be redirected to a look-alike URL such as prod.company.dev.

Impact

This vulnerability affects all users, especially enterprise users who work with sensitive/confidential data.

Patches

Jupyter Server 2.18+

Workaround

None.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	jupyter-server	>=0 <2.18.0	2.18.0
debian 12	jupyter-server	=1.23.3-1 \|\| =1.23.3-2 \|\| =2.14.0-1 \|\| =2.14.2-1 \|\| =2.14.2-2 \|\| =2.14.2-3 \|\| =2.14.2-4 \|\| =2.14.2-5 \|\| =2.15.0-1 \|\| =2.17.0-1 \|\| =2.9.1-1	-
debian 13	jupyter-server	=2.15.0-1 \|\| =2.17.0-1	-
debian 11	jupyter-server	=1.10.2-1 \|\| =1.11.0-1 \|\| =1.11.1-1 \|\| =1.12.0-1 \|\| =1.12.1-1 \|\| =1.13.1-1 \|\| =1.16.0-1 \|\| =1.17.0-1 \|\| =1.17.1-1 \|\| =1.18.1-1 \|\| =1.18.1-2 \|\| =1.2.2-1 \|\| =1.21.0-1 \|\| =1.23.2-1 \|\| =1.23.3-1 \|\| =1.23.3-2 \|\| =2.14.0-1 \|\| =2.14.2-1 \|\| =2.14.2-2 \|\| =2.14.2-3 \|\| =2.14.2-4 \|\| =2.14.2-5 \|\| =2.15.0-1 \|\| =2.17.0-1 \|\| =2.9.1-1	-
debian 14	jupyter-server	=2.15.0-1 \|\| =2.17.0-1	-

Aliases

1. CVE-2025-616692. NVD-2025-616693. OSV-2025-616694. OSV-DEBIAN-2025-616695. GHSA-qh7q-6qm3-653w6. GCVE-2025-616697. SECURITY-TRACKER-CVE-2025-61669

References

1. https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w2. https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2026-67.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.