CVE-2021-32862

Name of the Vulnerable Software and Affected Versions nbconvert version 5.5.0

Description The GitHub Security Lab discovered a cross-site scripting vulnerability in nbconvert. When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML, which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server. The vulnerability can be exploited through various means, including the notebook.metadata.language info.pygments lexer field, notebook.metadata.title node, notebook.metadata.widgets node, notebook.cell.metadata.tags nodes, and other output data mime types such as text/html, image/svg+xml, text/markdown, and application/javascript.

Recommendations As a temporary workaround, consider disabling the use of nbconvert to generate HTML notebooks until a patch is available. Restrict access to the vulnerable nbconvert module to minimize the risk of exploitation. Avoid using user-controllable notebooks with nbconvert until the issue is resolved. Update to a newer version of nbconvert that contains a fix for this vulnerability, if available.