Manicspublished

**Name of the Vulnerable Software and Affected Versions** jupyter-server-proxy versions 3.0.0 through 3.2.3 jupyter-server-proxy versions 4.0.0 through 4.1.2 **Description** The issue concerns a reflected cross-site scripting (XSS) problem. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/<host>`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/<host>`, which runs the custom JavaScript contained in `host` set by the actor. This issue permits extensive access to the user's JupyterLab instance for an actor. **Recommendations** For versions 3.0.0 through 3.2.3, update to version 3.2.4 to resolve the issue. For versions 4.0.0 through 4.1.2, update to version 4.2.0 to resolve the issue. As a temporary workaround, server operators who are unable to upgrade can disable the `jupyter-server-proxy` extension by running the command `jupyter server extension disable jupyter-server-proxy`.