CVE-2024-35225
📋 TL;DR
Jupyter Server Proxy versions 3.x before 3.2.4 and 4.x before 4.2.0 contain a reflected cross-site scripting (XSS) vulnerability in the /proxy endpoint. Attackers can craft phishing links with malicious JavaScript in the host parameter, which executes when clicked by authenticated users, potentially compromising their JupyterLab sessions. This affects all users running vulnerable versions of jupyter-server-proxy.
💻 Affected Systems
- jupyter-server-proxy
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of JupyterLab instance allowing data theft, code execution, or lateral movement within the Jupyter environment.
Likely Case
Session hijacking, credential theft, or unauthorized access to user's notebooks and data through malicious JavaScript execution.
If Mitigated
Limited impact with proper input validation, output encoding, and user awareness about phishing links.
🎯 Exploit Status
Exploitation requires user interaction (clicking phishing link) but is straightforward once the link is crafted.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.4 or 4.2.0
Vendor Advisory: https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr
Restart Required: Yes
Instructions:
1. Upgrade jupyter-server-proxy to version 3.2.4 or 4.2.0 using pip: 'pip install --upgrade jupyter-server-proxy==3.2.4' or 'pip install --upgrade jupyter-server-proxy==4.2.0'. 2. Restart Jupyter server.
🔧 Temporary Workarounds
Disable jupyter-server-proxy extension
allTemporarily disable the vulnerable extension until patching is possible
jupyter serverextension disable jupyter_server_proxy
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to block malicious /proxy requests
🔍 How to Verify
Check if Vulnerable:
Check jupyter-server-proxy version with: 'pip show jupyter-server-proxy' and verify if version is below 3.2.4 (for 3.x) or below 4.2.0 (for 4.x)Check Version:
pip show jupyter-server-proxy | grep VersionVerify Fix Applied:
After upgrade, confirm version is 3.2.4 or higher (3.x) or 4.2.0 or higher (4.x) using 'pip show jupyter-server-proxy'📡 Detection & Monitoring
Log Indicators:
- Unusual /proxy endpoint requests with JavaScript in host parameter
- Error responses from /proxy endpoint containing script tags
Network Indicators:
- HTTP GET requests to /proxy/ with suspicious characters in path
- Phishing emails containing Jupyter server links
SIEM Query:
source="jupyter" AND uri_path="/proxy/*" AND (uri_path CONTAINS "<script>" OR uri_path CONTAINS "javascript:")🔗 References
- https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328
- https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22
- https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878
- https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr
- https://github.com/jupyterhub/jupyter-server-proxy/blob/62a290f08750f7ae55a0c29ca339c9a39a7b2a7b/jupyter_server_proxy/handlers.py#L328
- https://github.com/jupyterhub/jupyter-server-proxy/commit/7abc9dc5bbb0b4b440548a5375261b8b8192fc22
- https://github.com/jupyterhub/jupyter-server-proxy/commit/ff78128087e73fb9d0909e1366f8bf051e8ea878
- https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-fvcq-4x64-hqxr
