Open Redirect Vulnerability in jupyter-server

GHSA-r726-vmfq-j9j3 · CVE-2023-39968 · PYSEC-2023-155

Published Aug 29, 2023 · Modified Feb 4, 2026

Description

Impact

Open Redirect Vulnerability. Maliciously crafted login links to known Jupyter Servers can cause successful login or an already logged-in session to be redirected to arbitrary sites, which should be restricted to Jupyter Server-served URLs.

Patches

Upgrade to Jupyter Server 2.7.2

Workarounds

None.

References

Vulnerability reported by user davwwwx via the bug bounty program sponsored by the European Commission and hosted on the Intigriti platform.

https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak/

References

WEB https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-r726-vmfq-j9j3
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-39968
WEB https://github.com/jupyter-server/jupyter_server/commit/290362593b2ffb23c59f8114d76f77875de4b925
WEB https://blog.xss.am/2023/08/cve-2023-39968-jupyter-token-leak
PACKAGE https://github.com/jupyter-server/jupyter_server
WEB https://github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2023-155.yaml
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NRP7DNZYVOIA4ZB3U3ZWKTFZEPYWNGCQ
WEB https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XDKQAWQN6SQTOVACZNXYKEHWQXGG4DOF

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes