ghsa-vvfj-2jqx-52jm
Vulnerability from github
Published
2025-09-26 14:26
Modified
2025-09-26 19:24
Severity ?
2.1 (Low) - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
Details

Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute.

This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if: - links generated by those extensions included target=_blank (no such extensions are known at time of writing) and - they were to click on a link generated in LaTeX (typically visibly different from other links).

For consistency with handling on other links, new versions of JupyterLab will enforce noopener and target=_blank on all links generated by typesetters. The former will harden the resilience of JupyterLab to extensions with lack of secure defaults in link rendering, and the latter will improve user experience by preventing accidental state loss when clicking on links rendered by LaTeX typesetters.

Impact

Since the official LaTeX typesetter extensions for JupyterLab: jupyterlab-mathjax (default), jupyterlab-mathjax2 and jupyterlab-katex do not include the target=_blank, there is no impact for JupyterLab users.

Patches

JupyterLab 4.4.8

Workarounds

No workarounds are necessary.

References

None

Show details on source website

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.4.7"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.4.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59842"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1022"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-26T14:26:40Z",
    "nvd_published_at": "2025-09-26T16:15:48Z",
    "severity": "LOW"
  },
  "details": "Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the `noopener` attribute.\n\nThis is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if:\n- links generated by those extensions included `target=_blank` (no such extensions are known at time of writing) and\n- they were to click on a link generated in LaTeX (typically visibly different from other links).\n\nFor consistency with handling on other links, new versions of JupyterLab will enforce `noopener` and `target=_blank` on all links generated by typesetters. The former will harden the resilience of JupyterLab to extensions with lack of secure defaults in link rendering, and the latter will improve user experience by preventing accidental state loss when clicking on links rendered by LaTeX typesetters.\n\n### Impact\n\nSince the official LaTeX typesetter extensions for JupyterLab: `jupyterlab-mathjax` (default), `jupyterlab-mathjax2` and `jupyterlab-katex` do not include the `target=_blank`, there is no impact for JupyterLab users.\n\n### Patches\n\nJupyterLab 4.4.8\n\n### Workarounds\n\nNo workarounds are necessary.\n\n### References\n\nNone",
  "id": "GHSA-vvfj-2jqx-52jm",
  "modified": "2025-09-26T19:24:06Z",
  "published": "2025-09-26T14:26:40Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vvfj-2jqx-52jm"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59842"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jupyterlab/jupyterlab/commit/88ef373039a8cc09f27d3814382a512d9033675c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterlab/jupyterlab"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "JupyterLab LaTeX typesetter links did not enforce `noopener` attribute"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.