python · jupyterlabHeads-up
JupyterLab Extension Manager XSS via Malicious PyPI Package URLs
JupyterLab's Extension Manager now validates the protocol of URLs from PyPI package metadata before rendering them as clickable links.
What changed
JupyterLab's Extension Manager now validates the protocol of URLs from PyPI package metadata before rendering them as clickable links. Previously, a malicious package could set a `javascript:` URL in its `[project.urls]` Homepage field, leading to XSS when clicked.
Who it affects
Users of JupyterLab with the Extension Manager enabled and using the default PyPI source. Attackers can publish a malicious package to PyPI to exploit this.
What to do today
Upgrade JupyterLab to version 4.5.9 or later to apply the fix.
The trail
Collected→
Audited→
Written→
Published