CVE-2025-59842

Links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute.

This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if:

links generated by those extensions included target=_blank (no such extensions are known at time of writing) and
they were to click on a link generated in LaTeX (typically visibly different from other links).

For consistency with handling on other links, new versions of JupyterLab will enforce noopener and target=_blank on all links generated by typesetters. The former will harden the resilience of JupyterLab to extensions with lack of secure defaults in link rendering, and the latter will improve user experience by preventing accidental state loss when clicking on links rendered by LaTeX typesetters.

Impact

Since the official LaTeX typesetter extensions for JupyterLab: jupyterlab-mathjax (default), jupyterlab-mathjax2 and jupyterlab-katex do not include the target=_blank, there is no impact for JupyterLab users.

Patches

JupyterLab 4.4.8

Workarounds

No workarounds are necessary.

References

None

Published: Sep 26, 2025
Updated: Sep 27, 2025
CVE: CVE-2025-59842
GHSA: GHSA-vvfj-2jqx-52jm
Severity: Low
Exploit:

No technical information available.

CWEs:

CWE-1022

Affected Software
References

Software	From	Fixed in
jupyterlab	-	4.4.8

Vulnerability Database

CVE-2025-59842

Impact

Patches

Workarounds

References

Deep Security Visibility Without the Complexity