PT-2024-30672 · Unknown+1 · Jupyter Notebook+5

Krassowski

·

Published

2024-08-28

·

Updated

2025-12-08

·

CVE-2024-43805

CVSS v4.0

8.8

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions JupyterLab versions prior to 3.6.8 JupyterLab versions prior to 4.2.5 Jupyter Notebook versions prior to 7.2.2
Description This issue depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user.
Recommendations To resolve the issue, upgrade to JupyterLab version 3.6.8, 4.2.5 or later, or Jupyter Notebook version 7.2.2 or later. As a temporary workaround, consider disabling the following plugins:
  • @jupyterlab/mathjax-extension:plugin to prevent previewing mathematical equations
  • @jupyterlab/markdownviewer-extension:plugin to prevent opening Markdown previews
  • @jupyterlab/mathjax2-extension:plugin (if installed) to prevent using an older version of the mathjax plugin for JupyterLab 4.x To disable these extensions, run the following commands in bash: jupyter labextension disable @jupyterlab/markdownviewer-extension:plugin jupyter labextension disable @jupyterlab/mathjax-extension:plugin jupyter labextension disable @jupyterlab/mathjax2-extension:plugin

Exploit

Fix

XSS

Weakness Enumeration

CWE-79

Related Identifiers

ALT-PU-2025-14780
ALT-PU-2025-8028
BIT-JUPYTER-BASE-NOTEBOOK-2024-43805
BIT-JUPYTER-NOTEBOOK-2024-43805
BIT-JUPYTERLAB-2024-43805
CVE-2024-43805
GHSA-9Q39-RMJ3-P4R2
OPENSUSE-SU-2024:0352-1

Affected Products

@Jupyterlab/Markdownviewer-Extension
@Jupyterlab/Mathjax-Extension
@Jupyterlab/Mathjax2-Extension
Alt Linux
Jupyter Notebook
Jupyterlab