GHSA-QH7Q-6QM3-653W

Vulnerability from github – Published: 2026-05-05 16:32 – Updated: 2026-05-05 16:32
VLAI?
Summary
Jupyter Server has an open redirection vulnerability in `next` query parameter
Details

Summary

The ?next=... URL query parameter has an open redirection vulnerability. In jupyter_server<=2.17.0, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users.

Details

The vulnerability is caused by insufficient validation in the LoginFormHandler._redirect_safe() method.

  • Source code reference: https://github.com/jupyter-server/jupyter_server/blob/987ebdd5e188cdc49751b01a0d6782d686492a53/jupyter_server/auth/login.py#L33-L76

This vulnerability was originally reported by Noriaki Iwasaki. All discovery credit goes to them.

PoC

  1. Navigate to http://localhost:8888/login?next=///google.com
  2. Observe that the user is redirected to google.com despite it being an external domain.

The external domain passed in the ?next parameter may be replaced with a malicious lookalike to facilitate phishing attacks. Jupyter Server deployments served on a public domain are especially vulnerable, as prod.company.com may be redirected to a look-alike URL such as prod.company.dev.

Impact

This vulnerability affects all users, especially enterprise users who work with sensitive/confidential data.

Patches

Jupyter Server 2.18+

Workaround

None.

Severity ?
6.0 (Medium)
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.17.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyter-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.18.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61669"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-05T16:32:48Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nThe `?next=...` URL query parameter has an open redirection vulnerability. In `jupyter_server\u003c=2.17.0`, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users.\n\n### Details\n\nThe vulnerability is caused by insufficient validation in the `LoginFormHandler._redirect_safe()` method.\n\n- Source code reference: https://github.com/jupyter-server/jupyter_server/blob/987ebdd5e188cdc49751b01a0d6782d686492a53/jupyter_server/auth/login.py#L33-L76\n\nThis vulnerability was originally reported by Noriaki Iwasaki. All discovery credit goes to them.\n\n### PoC\n\n1. Navigate to `http://localhost:8888/login?next=///google.com`\n2. Observe that the user is redirected to `google.com` despite it being an external domain.\n\nThe external domain passed in the `?next` parameter may be replaced with a malicious lookalike to facilitate phishing attacks. Jupyter Server deployments served on a public domain are especially vulnerable, as `prod.company.com` may be redirected to a look-alike URL such as `prod.company.dev`. \n\n### Impact\n\nThis vulnerability affects all users, especially enterprise users who work with sensitive/confidential data.\n\n### Patches\n\nJupyter Server 2.18+\n\n### Workaround\n\nNone.",
  "id": "GHSA-qh7q-6qm3-653w",
  "modified": "2026-05-05T16:32:48Z",
  "published": "2026-05-05T16:32:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyter-server/jupyter_server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Jupyter Server has an open redirection vulnerability in `next` query parameter"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.