A recently discovered vulnerability (CVE-2024-35225) in Jupyter Server Proxy exposes users to potential cross-site scripting (XSS) attacks. This long read will discuss the details of this security vulnerability, including its impact on Jupyter Server Proxy users, code snippets, and links to online references. We will also explore the available patches and a workaround to protect users from exploitation.

Vulnerability Overview

Jupyter Server Proxy is a popular tool that allows users to run arbitrary external processes alongside their notebook server, providing authenticated web access to those processes. Versions 3.x prior to 3.2.4 and 4.x prior to 4.2. have a reflected cross-site scripting (XSS) issue. An attacker can exploit this vulnerability by sending a phishing link containing malicious JavaScript to a targeted user.

Details of the Vulnerability

The Jupyter Server Proxy /proxy endpoint accepts a host path segment in the format /proxy/<host>. When this endpoint is called with an invalid host value, jupyter-server-proxy replies with a response that includes the value of host without sanitization [2]. An attacker can leverage this by sending a phishing link with an invalid host value containing custom JavaScript to a JupyterLab user. When the user clicks this phishing link, the browser renders the response of GET /proxy/<host>, which runs the attacker's custom JavaScript contained in host.

Here is a simple example to demonstrate the XSS vulnerability in Jupyter Server Proxy

Attacker sends a phishing link:
http://example.com/proxy/"><script>alert('XSS')</script>;

Upon clicking the link, the browser runs GET /proxy/"><script>alert('XSS')</script>

The unsanitized response contains the attacker's custom JavaScript:
GET /proxy/"><script>alert('XSS')</script>

Exploiting this vulnerability allows the attacker to run arbitrary JavaScript code with the user's privileges. This can lead to unauthorized access to the user's JupyterLab instance and data, potentially compromising sensitive information.

1. Jupyter Server Proxy GitHub Repository
2. CVE-2024-35225 Details
3. NVD Entry

Solution

Patches to fix this issue have been released in versions 4.2. and 3.2.4 of Jupyter Server Proxy. It is highly recommended that users upgrade their Jupyter Server Proxy to one of the aforementioned versions to mitigate the risk of exploitation.

Workaround

Users who are unable to upgrade their Jupyter Server Proxy to a patched version can disable the jupyter-server-proxy extension as a temporary measure to protect themselves from XSS attacks. To disable the extension, follow these steps:

Locate the "jupyter-server-proxy" extension and click on the "Disable" button.

It is important to consider upgrading to a patched version as soon as possible, as disabling the extension may limit the functionality of the JupyterLab instance.

Conclusion

In summary, CVE-2024-35225 poses a significant threat to Jupyter Server Proxy users running vulnerable versions of the software. Upgrading to versions 4.2. or 3.2.4 is the most effective way to address this vulnerability. Alternatively, users can temporarily disable the jupyter-server-proxy extension to mitigate the risk of exploitation. Being vigilant about software updates and vulnerability patches is essential to maintain a secure environment and protect sensitive data.

Timeline

Published on: 06/11/2024 22:15:09 UTC
Last modified on: 06/13/2024 18:36:09 UTC