Update: notebook 5.7.7 and JupyterHub 0.9.5 contained incomplete fixes for this issue. 5.7.8 and 0.9.6 are released with more complete fixes.

JupyterHub ≤ 0.9.5 and Notebook ≤ 5.7.8 are affected. Versions 0.9.6 and 5.7.8 are released with fixes. Upgrade with pip or conda:

pip install --upgrade 'notebook>=5.7.8'

pip install --upgrade 'jupyterhub>=0.9.6' conda install -c conda-forge 'notebook>=5.7.8'

conda install -c conda-forge 'jupyterhub>=0.9.6'

notebook 5.7.8 also fixes some compatibility issues and regressions introduced in 5.7.5 and 5.7.6, especially on some Windows systems. If you use the jupyterhub helm chart, version 0.8.2 upgrades JupyterHub to 0.9.6.

What is an Open Redirect Vulnerability?

Login pages tend to take a parameter for redirecting back to a page after successful login, e.g. /login?next=/notebooks/mynotebook.ipynb , so that you aren’t disrupted too much if you try to visit a page, but have to authenticate first. An Open Redirect Vulnerability is when a malicious person crafts a link pointing to the login page of a trusted site, but setting the “redirect after successful login” parameter to send the user to their own site, instead of a page on the authenticated site (the notebook or JupyterHub server), e.g. /login?next=http://badwebsite.biz . This doesn’t necessarily compromise anything immediately, but it enables phishing if users don’t notice that the domain has changed, e.g. by showing a fake “re-enter your password” page. Servers generally have to validate the redirect URL to avoid this. Both JupyterHub and Notebook already do this, but the validation didn’t take into account all possible ways to redirect to other sites, so some malicious URLs could still be crafted to redirect away from the server (the above example does not work in any recent version of either package). Only certain browsers (Chrome and Firefox, not Safari) could be redirected from the JupyterHub login page, but all browsers could be redirected away from a standalone notebook server.

This vulnerability has been assigned CVE-2019–10255. This post will be updated when it has been assigned. Thanks to Ronak Odhaviya for reporting the issue. You can report security issues by emailing ipython-security@googlegroups.com.