Details

The nbconvert HTTP handlers in jupyter_server render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy.

Combined with nbconvert.HTMLExporter's default non-sanitizing behavior, a notebook carrying an HTML payload in a display_data output triggers stored XSS with cookie access, full /api/* authority, and kernel RCE.

Impact

An authenticated victim who navigates to /nbconvert/html/<path> containing attacker-authored output can have their token exfiltrated to another domain because it is executed in the Jupyter origin.

Patches

Fixed in v2.20.0, commit 6cbee8d

Workarounds

For deployments where editing the installed jupyter_server is impractical (containerized builds, read-only images), adding this to jupyter_server_config.py has the same effect as the patch above without touching source files:

import jupyter_server.nbconvert.handlers as _nb

def _csp(self):
    return super(type(self), self).content_security_policy + "; sandbox allow-scripts"

_nb.NbconvertFileHandler.content_security_policy = property(_csp)
_nb.NbconvertPostHandler.content_security_policy = property(_csp)

Severity

• CVSS Score: 9.3 / 10 (Critical)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

References

• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-fcw5-x6j4-ccmp
• https://github.com/jupyter-server/jupyter_server/commit/6cbee8d65e71abac851c4492fea987ad080580bd
• https://github.com/advisories/GHSA-fcw5-x6j4-ccmp

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

v2.20.0

Compare Source

(Full Changelog)

Enhancements made

• Fix confusing terminal output when using ServerApp.ip=0.0.0.0 #​1643 (@​Yann-P, @​minrk)
• Add a toggle to enable curve encryption for all kernels that support it #​1638 (@​krassowski, @​Carreau, @​ianthomas23, @​minrk)

Bugs fixed

• Grab the port from bind_sockets in case its different #​1651 (@​choldgraf, @​krassowski)

Maintenance and upkeep improvements

• Fix test_authorizer having a spurious comma in params #​1664 (@​krassowski)
• Add a reminder to merge GHSA before release #​1659 (@​Yann-P, @​Carreau)
• Exclude problematic pywinpty 3.0.4 version #​1658 (@​krassowski)
• ci: explicitly pass base-setup inputs to fix strict validation failures #​1626 (@​Carreau, @​Copilot)

Documentation improvements

• Align docs for curve encryption with latest JEP version #​1660 (@​krassowski, @​Carreau)
• Remove PGP key from docs #​1653 (@​Yann-P, @​krassowski)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​choldgraf (activity) | @​Copilot (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​Yann-P (activity)

v2.19.0

Compare Source

(Full Changelog)

Enhancements made

• Return unresolved stanza when kernel scope is unavailable for resolvePath (instead of failing with 404) #​1641 (@​MUFFANUJ, @​Carreau, @​krassowski)

Bugs fixed

• Recreate notary store on failure to prevent save deadlock and data loss #​1640 (@​krassowski, @​Carreau)

Maintenance and upkeep improvements

• Restore the test skip marks with updated compatibility reason #​1646 (@​krassowski, @​Carreau)
• Drop Python 3.9 #​1644 (@​krassowski, @​Zsailer)
• Bump minimatch from 3.1.2 to 3.1.5 #​1606 (@​Carreau, @​minrk)

Other merged PRs

• Update pytest requirement from <9,>=7.0 to >=7.0,<10 #​1647 (@​Carreau)
• fix: use percent-placeholder args in HTTPError to prevent Tornado from doubling percent signs in gateway URLs #​1642 (@​terminalchai, @​Carreau)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​Carreau (activity) | @​ianthomas23 (activity) | @​krassowski (activity) | @​minrk (activity) | @​MUFFANUJ (activity) | @​terminalchai (activity) | @​Zsailer (activity)

v2.18.2

Compare Source

(Full Changelog)

Bugs fixed

• Fix saving user avatar URL #​1637 (@​brichet, @​krassowski)
• Fix path resolution if root_dir is a filesystem root #​1636 (@​Yann-P, @​krassowski)

Maintenance and upkeep improvements

• Add Zulip notification when a release is complete #​1634 (@​Yann-P, @​Carreau)
• chore: update pre-commit hooks #​1633 (@​Carreau)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​brichet (activity) | @​Carreau (activity) | @​krassowski (activity) | @​Yann-P (activity)

v2.18.1

Compare Source

(Full Changelog)

Bugs fixed

• Prevent reconnect stalls from orphaned kernel_info requests #​1632 (@​krassowski, @​Copilot, @​jtpio, @​tonyx93)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​Copilot (activity) | @​jtpio (activity) | @​krassowski (activity) | @​tonyx93 (activity)