GHSA-gj55-2xf9-67rq: HTML injection in JupyterLite leading to DOM Clobbering

September 6, 2024 (updated November 18, 2024)

The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature.

A malicious user can access any data accessible from JupyterLite and perform arbitrary actions in JupyterLite environment.

References

github.com/advisories/GHSA-gj55-2xf9-67rq
github.com/jupyterlab/jupyterlab/security/advisories/GHSA-9q39-rmj3-p4r2
github.com/jupyterlite/jupyterlite
github.com/jupyterlite/jupyterlite/security/advisories/GHSA-gj55-2xf9-67rq

Code Behaviors & Features

Detect and mitigate GHSA-gj55-2xf9-67rq with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →