Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Primary rating from Vendor (https://github.com/jupyter-server/jupyter_server).
CVSS VectorVendor: https://github.com/jupyter-server/jupyter_server
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Jupyter Server uses re.match() to validate the Origin header against the allow_origin_pat configuration.
Since re.match() only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only trusted.example.com.
Impact
<=2.17.0
Patches
057869a327c46730afede3eab0ca2d2e3e74acea, 49b34392feaa97735b3b777e3baf8f22f2a14ed8
Workarounds
Wrap your allow_origin_pat value with ^ and $
References
https://github.com/jupyter-server/jupyter_server/pull/603 https://docs.python.org/3/library/re.html#re.fullmatch https://docs.python.org/3/library/re.html#re.match
AnalysisAI
Cross-Origin Resource Sharing (CORS) bypass in Jupyter Server <= 2.17.0 allows attackers controlling malicious subdomains to bypass origin validation and access sensitive notebook data. The vulnerability stems from incorrect use of Python's re.match() function in the allow_origin_pat configuration, which only anchors at the start of strings. An attacker registering a domain like 'trusted.example.com.evil.com' can pass validation intended only for 'trusted.example.com', enabling unauthorized cross-origin requests to Jupyter sessions. Fixed in version 2.18.0 via commits 057869a and 49b3439. No active exploitation or public POC identified at time of analysis.
Technical ContextAI
This vulnerability (CWE-777: Regular Expression without Anchors) exploits a common regex antipattern in Python. Jupyter Server's CORS origin validation uses re.match() to check incoming Origin headers against the allow_origin_pat configuration pattern. Python's re.match() implicitly anchors only at the beginning of the string (equivalent to prepending '^' but not appending '$'). This means a pattern like 'trusted\.example\.com' will match both 'trusted.example.com' AND 'trusted.example.com.evil.com' because re.match() only verifies the start of the string. The correct approach is using re.fullmatch() (Python 3.4+) which anchors at both start and end, or manually wrapping patterns with '^pattern$'. The affected component is pkg:pip/jupyter-server, specifically the CORS validation middleware that processes HTTP Origin headers before allowing cross-origin API requests to notebook servers.
RemediationAI
Upgrade Jupyter Server to version 2.18.0 or later, which replaces re.match() with proper anchoring via commits 057869a327c46730afede3eab0ca2d2e3e74acea and 49b34392feaa97735b3b777e3baf8f22f2a14ed8. Installation via pip: 'pip install --upgrade jupyter-server>=2.18.0'. If immediate patching is not feasible, apply the workaround by modifying your Jupyter Server configuration to wrap all allow_origin_pat values with regex anchors '^' at the start and '$' at the end (e.g., change 'trusted\.example\.com' to '^trusted\.example\.com$'). This workaround provides equivalent protection but requires manual configuration changes and testing to ensure legitimate origins still match. As a compensating control, review and minimize the scope of allow_origin_pat patterns to only absolutely necessary domains, or disable CORS entirely if cross-origin access is not required (noting this will break browser-based integrations requiring cross-origin requests). Full advisory and patch details: https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p and https://github.com/jupyter-server/jupyter_server/pull/603.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27510
GHSA-24qx-w28j-9m6p