CVE-2024-22421

JupyterLab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook and Architecture. Users of JupyterLab who click on a malicious link may get their Authorization and XSRFToken tokens exposed to a third party when running an older jupyter-server version. JupyterLab versions 4.1.0b2, 4.0.11, and 3.6.7 are patched. No workaround has been identified, however users should ensure to upgrade jupyter-server to version 2.7.2 or newer which includes a redirect vulnerability fix.

Published: Jan 19, 2024
Updated: May 4, 2025
CVE: CVE-2024-22421
GHSA: GHSA-44cc-43rp-5947
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CWEs:

CWE-200
CWE-23

Affected Software
References

Software	From	Fixed in
jupyterlab	4.0.0	4.0.11
jupyterlab	-	3.6.7
notebook	7.0.0	7.0.7
jupyter / notebook	7.0.0	7.0.7
jupyter / jupyterlab	4.0.0	4.0.11
jupyter / jupyterlab	-	3.6.7
fedoraproject / fedora	39	39.x

https://github.com/jupyterlab/jupyterlab/commit/19bd9b96cb2e77170a67e43121637d0b5619e8c6
https://github.com/jupyterlab/jupyterlab/commit/1ef7a4fa0202ebdf663e1cc0b45c8813a34a0b96
https://github.com/jupyterlab/jupyterlab/commit/fccd83dc4441da0384ee3fd1322c3b2d9ad4caaa
https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-44cc-43rp-5947
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQJKNRDRFMKGVRIYNNN6CKMNJDNYWO2H/

Vulnerability Database

CVE-2024-22421

Deep Security Visibility Without the Complexity