CVE-2025-59842
BaseFortify
Publication date: 2025-09-26
Last updated on: 2025-10-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jupyter | jupyterlab | to 4.4.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1022 | The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves JupyterLab versions prior to 4.4.8 where links generated with LaTeX typesetters in Markdown files and cells did not include the noopener attribute. This omission could theoretically allow reverse tabnabbing attacks if third-party LaTeX-rendering extensions generated links with target=_blank and users clicked on those links. However, no such extensions are known at the time of writing, and default installations are not impacted. The issue was fixed in version 4.4.8.
How can this vulnerability impact me? :
The impact is minimal for default JupyterLab installations as they are not affected. Theoretically, users of certain third-party LaTeX-rendering extensions that generate links with target=_blank could be vulnerable to reverse tabnabbing attacks, which could lead to malicious pages gaining control of the original page. However, no such extensions are known, so the practical impact is very limited.
What immediate steps should I take to mitigate this vulnerability?
Update JupyterLab to version 4.4.8 or later, as this version includes the patch that addresses the vulnerability related to missing noopener attributes in LaTeX-generated links.