Cross-Site Scripting Vulnerability in Jupyter nbgrader by Jupyter
CVE-2025-23205

6.9MEDIUM

Key Information:

Vendor

Jupyter

Status
Nbgrader
Vendor
CVE Published:
17 January 2025

What is CVE-2025-23205?

A Cross-Site Scripting (XSS) vulnerability exists in Jupyter nbgrader which could allow attackers to exploit the system by manipulating iframe embedding. Specifically, if the 'frame-ancestors: self' directive is enabled, a malicious user can craft a page that loads formgrader content. This could enable the attacker to extract sensitive information and gain unauthorized access to user credentials, particularly when using the default JupyterHub configuration without proper subdomain setup. Users are urged to update to nbgrader version 0.9.5 or configure their JupyterHub settings to mitigate this risk.

Affected Version(s)

nbgrader = 0.9.4

References

https://github.com/jupyter/nbgrader/security/advisories/G...
x_refsource_CONFIRM
https://github.com/jupyter/nbgrader/pull/1915
x_refsource_MISC
https://github.com/jupyter/nbgrader/commit/73e137511ac1dc...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-23205 : Cross-Site Scripting Vulnerability in Jupyter nbgrader by Jupyter