CVE-2024-35225

Name of the Vulnerable Software and Affected Versions jupyter-server-proxy versions 3.0.0 through 3.2.3 jupyter-server-proxy versions 4.0.0 through 4.1.2

Description The issue concerns a reflected cross-site scripting (XSS) problem. The /proxy endpoint accepts a host path segment in the format /proxy/<host>. When this endpoint is called with an invalid host value, jupyter-server-proxy replies with a response that includes the value of host, without sanitization. A third-party actor can leverage this by sending a phishing link with an invalid host value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of GET /proxy/<host>, which runs the custom JavaScript contained in host set by the actor. This issue permits extensive access to the user's JupyterLab instance for an actor.

Recommendations For versions 3.0.0 through 3.2.3, update to version 3.2.4 to resolve the issue. For versions 4.0.0 through 4.1.2, update to version 4.2.0 to resolve the issue. As a temporary workaround, server operators who are unable to upgrade can disable the jupyter-server-proxy extension by running the command jupyter server extension disable jupyter-server-proxy.