CVE-2025-59842
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-26

Last updated on: 2025-10-22

Assigner: GitHub, Inc.

Description
jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-26
Last Modified
2025-10-22
Generated
2026-06-16
AI Q&A
2025-09-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59842
EUVD
EUVD-2025-31350
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jupyter jupyterlab to 4.4.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1022 The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves JupyterLab versions prior to 4.4.8 where links generated with LaTeX typesetters in Markdown files and cells did not include the noopener attribute. This omission could theoretically allow reverse tabnabbing attacks if third-party LaTeX-rendering extensions generated links with target=_blank and users clicked on those links. However, no such extensions are known at the time of writing, and default installations are not impacted. The issue was fixed in version 4.4.8.

Impact Analysis

The impact is minimal for default JupyterLab installations as they are not affected. Theoretically, users of certain third-party LaTeX-rendering extensions that generate links with target=_blank could be vulnerable to reverse tabnabbing attacks, which could lead to malicious pages gaining control of the original page. However, no such extensions are known, so the practical impact is very limited.

Mitigation Strategies

Update JupyterLab to version 4.4.8 or later, as this version includes the patch that addresses the vulnerability related to missing noopener attributes in LaTeX-generated links.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59842. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart