[GHSA-37w4-hwhx-4rc4] JupyterHub has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request#7593
Merged
advisory-database[bot] merged 1 commit intoMay 21, 2026
Conversation
Collaborator
|
Hi there @krassowski! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
krassowski/advisory-improvement-7593
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the GHSA advisory metadata to correctly attribute the vulnerability to JupyterLab (rather than JupyterHub) and refines the affected-version wording in the advisory details.
Changes:
- Updates the advisory summary to refer to JupyterLab instead of JupyterHub.
- Clarifies the vulnerable version range language in the details (now explicitly “prior to 4.5.7”).
- Updates the
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ], | ||
| "summary": "JupyterHub has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request", | ||
| "details": "The allow-list of extensions that can be installed from PyPI Extension Manager (`allowed_extensions_uris`) is not correctly enforced by JupyterLab prior to 4.5.X. The PyPI Extension Manager was not contained to packages listed on the default PyPI index.\n\nThis has security implications for deployments that:\n- have allow-listed specific extensions with aim to prevent users from installing packages\n- have the kernel and terminals disabled or delegated to remote hosts (thus no access to install packages in the single-user server environment)\n- have multi-tenant deployments that is not configured for untrusted users (as per documented on JupyterHub https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html)\n- have the (default) PyPI Extension Manger enabled\n\n### Impact\n\nAn authenticated attacker - such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment - can escalate their privileges. This might allow for data exfiltration, lateral movement within the network, and persistent compromise of the server infrastructure.\n\n### Patches\n\nJupyterLab [`v4.5.7`](https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7) contains the patch.\n\nUsers of applications that depend on JupyterLab, such as Notebook v7+, should update `jupyterlab` package too.\n\n### Workarounds\n\nSwitch to read-only extension manager by adding the following command line option:\n\n```bash\n--LabApp.extension_manager=readonly\n```\n\nor the following traitlet:\n\n```python\nc.LabApp.extension_manager = 'readonly'\n```\n\nYou can confirm that the read-only manager is in use from GUI:\n\n<img width=\"293\" height=\"293\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8016c809-633e-4ed0-a5bc-6bc4793caa0f\" />\n\nNote: configuration of a PyPI proxy with allow-listed packages is not sufficient to protect from this vulnerability.\n\n### Resources\n\n- allow-list https://jupyterlab.readthedocs.io/en/stable/user/extensions.html#listing-configuration\n- https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html\n- https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations", | ||
| "summary": "JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request", |
| "summary": "JupyterHub has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request", | ||
| "details": "The allow-list of extensions that can be installed from PyPI Extension Manager (`allowed_extensions_uris`) is not correctly enforced by JupyterLab prior to 4.5.X. The PyPI Extension Manager was not contained to packages listed on the default PyPI index.\n\nThis has security implications for deployments that:\n- have allow-listed specific extensions with aim to prevent users from installing packages\n- have the kernel and terminals disabled or delegated to remote hosts (thus no access to install packages in the single-user server environment)\n- have multi-tenant deployments that is not configured for untrusted users (as per documented on JupyterHub https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html)\n- have the (default) PyPI Extension Manger enabled\n\n### Impact\n\nAn authenticated attacker - such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment - can escalate their privileges. This might allow for data exfiltration, lateral movement within the network, and persistent compromise of the server infrastructure.\n\n### Patches\n\nJupyterLab [`v4.5.7`](https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7) contains the patch.\n\nUsers of applications that depend on JupyterLab, such as Notebook v7+, should update `jupyterlab` package too.\n\n### Workarounds\n\nSwitch to read-only extension manager by adding the following command line option:\n\n```bash\n--LabApp.extension_manager=readonly\n```\n\nor the following traitlet:\n\n```python\nc.LabApp.extension_manager = 'readonly'\n```\n\nYou can confirm that the read-only manager is in use from GUI:\n\n<img width=\"293\" height=\"293\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8016c809-633e-4ed0-a5bc-6bc4793caa0f\" />\n\nNote: configuration of a PyPI proxy with allow-listed packages is not sufficient to protect from this vulnerability.\n\n### Resources\n\n- allow-list https://jupyterlab.readthedocs.io/en/stable/user/extensions.html#listing-configuration\n- https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html\n- https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations", | ||
| "summary": "JupyterLab has an Extension Manager API/GUI Policy Discrepancy, allowing 3rd party (malicious) extensions install via POST request", | ||
| "details": "The allow-list of extensions that can be installed from PyPI Extension Manager (`allowed_extensions_uris`) is not correctly enforced by JupyterLab prior to 4.5.7. The PyPI Extension Manager was not contained to packages listed on the default PyPI index.\n\nThis has security implications for deployments that:\n- have allow-listed specific extensions with aim to prevent users from installing packages\n- have the kernel and terminals disabled or delegated to remote hosts (thus no access to install packages in the single-user server environment)\n- have multi-tenant deployments that is not configured for untrusted users (as per documented on JupyterHub https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html)\n- have the (default) PyPI Extension Manger enabled\n\n### Impact\n\nAn authenticated attacker - such as a student in a shared JupyterHub environment or a user in a multi-tenant JupyterLab deployment - can escalate their privileges. This might allow for data exfiltration, lateral movement within the network, and persistent compromise of the server infrastructure.\n\n### Patches\n\nJupyterLab [`v4.5.7`](https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.7) contains the patch.\n\nUsers of applications that depend on JupyterLab, such as Notebook v7+, should update `jupyterlab` package too.\n\n### Workarounds\n\nSwitch to read-only extension manager by adding the following command line option:\n\n```bash\n--LabApp.extension_manager=readonly\n```\n\nor the following traitlet:\n\n```python\nc.LabApp.extension_manager = 'readonly'\n```\n\nYou can confirm that the read-only manager is in use from GUI:\n\n<img width=\"293\" height=\"293\" alt=\"image\" src=\"https://github.com/user-attachments/assets/8016c809-633e-4ed0-a5bc-6bc4793caa0f\" />\n\nNote: configuration of a PyPI proxy with allow-listed packages is not sufficient to protect from this vulnerability.\n\n### Resources\n\n- allow-list https://jupyterlab.readthedocs.io/en/stable/user/extensions.html#listing-configuration\n- https://jupyterhub.readthedocs.io/en/5.2.1/explanation/websecurity.html\n- https://jupyterlab.readthedocs.io/en/latest/user/extensions.html#extension-manager-implementations", |
Author
|
I cannot apply suggestions and I think they don't matter, what matters is fixing the title as it is quite wrong. Can a human review this please? |
Author
|
By which I mean: 
In any case, I would appreciate a human review/merge here, the current entry title is misleading and should be corrected. |
Author
|
Hello? I know you folks are struggling, but it was two weeks. Someone (I hope human, not an agent) rewrote the title of the advisory making it misleading. No one seems to be available to review the fix though :( |
Author
|
@github gentle ping :) |
advisory-database
Bot
merged commit a0e75dd
into
krassowski/advisory-improvement-7593
8 of 9 checks passed
Contributor
|
Hi @krassowski! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updates
Comments
The GitHub curators incorrectly titled this as JupyterHub vulnerability; this is Jupyter>Lab< vulnerability. JupyterHub is one way in which JupyterLab is distributed, but it can be problematic in other contexts (e.g. when someone uses plain jupyter-server for multi-tenant deployment, even though this is strongly discouraged by official documentation).
I also fixed the
4.5.Xplaceholder in summary (which I also updated in the project-level version)