PyPI: jupyterlab
CVE-2025-59842
Safety vulnerability ID: SFTY-20250926-25870
Safety legacy ID: pyup.io-79993
Affected versions of the jupyterlab package are vulnerable to Reverse Tabnabbing due to LaTeX typesetter–generated links not enforcing the noopener attribute. Links produced by LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook omit rel=noopener, and if a (third-party) typesetter also adds target=_blank, the newly opened page can access window.opener.
Overview
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute
Advisory
Affected versions of the jupyterlab package are vulnerable to Reverse Tabnabbing due to LaTeX typesetter–generated links not enforcing the noopener attribute. Links produced by LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook omit rel=noopener, and if a (third-party) typesetter also adds target=_blank, the newly opened page can access window.opener.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20250926-25870/CVE-2025-59842
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59842
- https://github.com/advisories/GHSA-vvfj-2jqx-52jm
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vvfj-2jqx-52jm
- https://github.com/jupyterlab/jupyterlab/commit/88ef373039a8cc09f27d3814382a512d9033675c
- https://nvd.nist.gov/vuln/detail/CVE-2025-59842
- https://github.com/advisories/GHSA-vvfj-2jqx-52jm
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more