CVE-2025-59842Use of Web Link to Untrusted Target with window.opener Access in Jupyterlab

CWE-1022Use of Web Link to Untrusted Target with window.opener Access7 documents6 sources
Severity
2.1LOWNVD
EPSS
0.0%
top 91.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
JupyterlabJupyter Jupyterlab
Timeline
PublishedSep 26

Description

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages3 packages

NVDjupyter/jupyterlab< 4.4.8
CVEListV5jupyterlab/jupyterlab< 4.4.8
PyPIjupyterlab/jupyterlab< 4.4.8

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute2025-09-26
OSV
CVE-2025-59842: jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture2025-09-26
CVEList
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute2025-09-26
GHSA
JupyterLab LaTeX typesetter links did not enforce `noopener` attribute2025-09-26

📋Vendor Advisories

2
Red Hat
jupyterlab: JupyterLab LaTeX typesetter links did not enforce `noopener` attribute2025-09-26
Debian
CVE-2025-59842: jupyterlab - jupyterlab is an extensible environment for interactive and reproducible computi...2025