Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionGitHub Advisory
Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in LoginFormHandler._redirect_safe(), which allows redirects to arbitrary external domains via values such as ///example.com. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.
AnalysisAI
Open redirect vulnerability in Jupyter Server through version 2.17.0 allows unauthenticated remote attackers to redirect users to arbitrary external domains via insufficiently validated next query parameters in the login flow, enabling phishing attacks. User interaction (clicking a crafted login link) is required. The vulnerability is fixed in version 2.18.0.
Technical ContextAI
Jupyter Server is the backend runtime for Jupyter web applications, providing the HTTP server and API layer for notebook interfaces. The vulnerability exists in the LoginFormHandler._redirect_safe() function, which validates the 'next' query parameter used in post-login redirects. The validation logic fails to properly distinguish between legitimate relative redirects and open redirect payloads using protocol-relative URLs (e.g., ///example.com), which browsers interpret as absolute external URLs. This is a classic CWE-601 (URL Redirection to Untrusted Site) flaw where insufficient input sanitization on redirect targets allows attackers to bypass domain restrictions.
RemediationAI
Upgrade Jupyter Server to version 2.18.0 or later, which includes validation fixes to the LoginFormHandler._redirect_safe() method. Organizations unable to upgrade immediately should implement network controls to restrict access to the Jupyter Server login endpoint (/login) to trusted networks or require authentication proxies that validate redirect targets upstream. Additionally, educate users not to click login links from untrusted sources and consider using security headers such as X-Frame-Options and Content-Security-Policy to mitigate phishing effectiveness if users are redirected to malicious sites. No workaround patches or configuration-level fixes are documented; upgrading is the primary remediation.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Vendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209644
GHSA-qh7q-6qm3-653w