VulnerableCode Package Details - pkg:pypi/jupyter-server-proxy@3.2.3

Search for packages

Vulnerability	Summary	Fixed by
VCID-vyth-1a84-1kda Aliases: CVE-2024-35225 PYSEC-2024-236	Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting (XSS) issue. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/<host>`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/<host>`, which runs the custom JavaScript contained in `host` set by the actor. As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. Patches are included in versions 4.2.0 and 3.2.4. As a workaround, server operators who are unable to upgrade can disable the `jupyter-server-proxy` extension.	3.2.4 Affected by 0 other vulnerabilities. 4.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-vyth-1a84-1kda
Aliases:
CVE-2024-35225
PYSEC-2024-236

Jupyter Server Proxy allows users to run arbitrary external processes alongside their notebook server and provide authenticated web access to them. Versions of 3.x prior to 3.2.4 and 4.x prior to 4.2.0 have a reflected cross-site scripting (XSS) issue. The `/proxy` endpoint accepts a `host` path segment in the format `/proxy/<host>`. When this endpoint is called with an invalid `host` value, `jupyter-server-proxy` replies with a response that includes the value of `host`, without sanitization [2]. A third-party actor can leverage this by sending a phishing link with an invalid `host` value containing custom JavaScript to a user. When the user clicks this phishing link, the browser renders the response of `GET /proxy/<host>`, which runs the custom JavaScript contained in `host` set by the actor. As any arbitrary JavaScript can be run after the user clicks on a phishing link, this issue permits extensive access to the user's JupyterLab instance for an actor. Patches are included in versions 4.2.0 and 3.2.4. As a workaround, server operators who are unable to upgrade can disable the `jupyter-server-proxy` extension.

3.2.4
Affected by 0 other vulnerabilities.

4.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-zsh3-vq7z-fkfh	Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.	CVE-2024-28179 GHSA-w3vc-fx9p-wp4v PYSEC-2024-234

Vulnerability

Summary

Aliases

VCID-zsh3-vq7z-fkfh

Jupyter Server Proxy allows users to run arbitrary external processes alongside their Jupyter notebook servers and provides authenticated web access. Prior to versions 3.2.3 and 4.1.1, Jupyter Server Proxy did not check user authentication appropriately when proxying websockets, allowing unauthenticated access to anyone who had network access to the Jupyter server endpoint. This vulnerability can allow unauthenticated remote access to any websocket endpoint set up to be accessible via Jupyter Server Proxy. In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. The websocket endpoints exposed by `jupyter_server` itself is not affected. Projects that do not rely on websockets are also not affected. Versions 3.2.3 and 4.1.1 contain a fix for this issue.

CVE-2024-28179
GHSA-w3vc-fx9p-wp4v
PYSEC-2024-234

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:47:24.994943+00:00	GitLab Importer	Fixing	VCID-zsh3-vq7z-fkfh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/jupyter-server-proxy/CVE-2024-28179.yml	38.6.0
2026-06-02T04:21:29.822793+00:00	Pypa Importer	Affected by	VCID-vyth-1a84-1kda	https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-server-proxy/PYSEC-2024-236.yaml	38.6.0
2026-06-02T04:21:07.700049+00:00	Pypa Importer	Fixing	VCID-zsh3-vq7z-fkfh	https://github.com/pypa/advisory-database/blob/main/vulns/jupyter-server-proxy/PYSEC-2024-234.yaml	38.6.0