Jining Huang

**Name of the Vulnerable Software and Affected Versions** jupyterhub-kubespawner versions prior to 0.12 **Description** The issue allows certain usernames to craft particular server names, granting them access to the default server of other users with matching usernames. This affects JupyterHub deployments using KubeSpawner and enabled named servers, with authenticators that allow usernames with hyphens or other characters that require escape. The estimated number of potentially affected devices is not specified. **Recommendations** For versions prior to 0.12, upgrade to kubespawner 0.12 or zero-to-jupyterhub 0.9.1. As a temporary workaround for KubeSpawner, specify the configuration using the PatchedKubeSpawner class to modify pod name template and pvc name template, but remove this configuration after upgrading to ensure consistent naming.