DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-VMHF-C436-HXJ4: GHSA-VMHF-C436-HXJ4: Client-side Stored Cross-Site Scripting (XSS) in JupyterLab Extension Manager

#security #cve #cybersecurity #ghsa

GHSA-VMHF-C436-HXJ4: Client-side Stored Cross-Site Scripting (XSS) in JupyterLab Extension Manager

Vulnerability ID: GHSA-VMHF-C436-HXJ4
CVSS Score: 5.1
Published: 2026-06-19

A client-side Stored Cross-Site Scripting (XSS) vulnerability exists in the JupyterLab Extension Manager. This vulnerability allows an attacker to register a malicious package on the Python Package Index (PyPI) with a crafted metadata homepage URL using the 'javascript:' pseudo-protocol. When a JupyterLab user opens the Extension Manager and clicks the extension name, the browser executes arbitrary JavaScript code within the context of the JupyterLab origin. This can lead to the theft of active workspace documents, credentials, and API tokens. The issue affects all versions of JupyterLab prior to version 4.5.9.

TL;DR

JupyterLab versions before 4.5.9 are vulnerable to Stored Cross-Site Scripting (XSS) via the Extension Manager. Attackers can leverage malicious homepage metadata in PyPI packages to execute arbitrary JavaScript in the user's browser session.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79 / CWE-20
  • Attack Vector: Network (AV:N)
  • CVSS v4.0: 5.1 (Medium)
  • Exploit Status: Proof-of-Concept
  • Affected Versions: All versions prior to 4.5.9
  • Remediation: Upgrade to v4.5.9 or set extension_manager to 'none'

Affected Systems

  • JupyterLab
  • jupyterlab: < 4.5.9 (Fixed in: 4.5.9)

Code Analysis

Commit: 4e61e07

Fix XSS in extension manager's homepage_url

Commit: d5d961f

Forbid relative URLs in extensionmanager

Mitigation Strategies

  • Upgrade JupyterLab to version 4.5.9 or higher.
  • Disable the JupyterLab Extension Manager to prevent external package metadata queries.
  • Apply local network restrictions to limit unauthorized outgoing connections from JupyterLab browser sessions.

Remediation Steps:

  1. To upgrade JupyterLab via pip, run: pip install --upgrade jupyterlab>=4.5.9
  2. To upgrade via conda, run: conda update jupyterlab
  3. To disable the Extension Manager manually, open jupyter_server_config.json and add: { "LabApp": { "extension_manager": "none" } }

References

Read the full report for GHSA-VMHF-C436-HXJ4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)