PyPI: jupyterlab
GHSA-vmhf-c436-hxj4
Safety vulnerability ID: SFTY-20260619-94530
Affected versions of the JupyterLab package are vulnerable to Stored Cross-site Scripting (XSS) due to unsanitized URI protocols in package metadata. The `jupyterlab/extensions/pypi.py` module copies a PyPI package's URL directly into the `homepage_url`, which is then rendered by the frontend in `packages/extensionmanager/src/widget.tsx` without validating the protocol. An attacker can exploit this by publishing a malicious package to PyPI with a `javascript:` URL in its metadata; when a user clicks the extension name in JupyterLab's Extension Manager, the attacker-controlled JavaScript executes in the JupyterLab origin.
Overview
JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol
Advisory
jupyterlab – Improper Neutralization of Encoded URI Schemes in a Web Page
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260619-94530
- https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vmhf-c436-hxj4
- https://github.com/jupyterlab/jupyterlab/commit/4e61e07d0a91145b53fbf96ac74b0387f6bc51f6
- https://github.com/jupyterlab/jupyterlab/commit/d5d961f6e10a6442dddbf94d9a976b3897055a12
- https://github.com/jupyterlab/jupyterlab/releases/tag/v4.5.9
- https://github.com/advisories/GHSA-vmhf-c436-hxj4
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more