CVE-2025-61669: Jupyter Server has an open redirection vulnerability in `next` query parameter

May 5, 2026 (updated May 8, 2026)

The ?next=... URL query parameter has an open redirection vulnerability. In jupyter_server<=2.17.0, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users.

References

github.com/advisories/GHSA-qh7q-6qm3-653w
github.com/jupyter-server/jupyter_server
github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w
nvd.nist.gov/vuln/detail/CVE-2025-61669

Code Behaviors & Features

Detect and mitigate CVE-2025-61669 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →