Description
Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.
Published: 2026-05-05
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jupyter Server’s login flow accepts a next query parameter that is not properly validated; values such as "///example.com" send users to arbitrary external domains. This flaw, identified as CWE‑601, enables attackers to craft login URLs that redirect unsuspecting users to malicious sites, facilitating phishing attacks and potentially credential compromise. The vulnerability does not grant direct code execution or system access, but it undermines trust and can lead to phishing success by redirecting users to attacker‑controlled domains.

Affected Systems

The issue is present in all jupyter_server versions up to and including 2.17.0. The affected product is the jupyter_server component provided by the jupyter-server organization. The vulnerability was fixed in version 2.18.0, so any installation using an older version requires updating.

Risk and Exploitability

The CVSS score of 6.3 indicates a medium severity impact, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited in the wild. Attackers can exploit this flaw remotely by directing users to a malicious URL through a crafted login link; no special privileges or system access are required. Given the ease of use, phishing campaigns could leverage this redirect to lure users into phishing sites, although the exploit does not directly steal data or enable arbitrary code execution.

Generated by OpenCVE AI on May 5, 2026 at 17:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Jupyter Server to version 2.18.0 or later to remove the open‑redirect flaw
  • If an upgrade is not immediately possible, implement server‑side validation to reject or sanitize the next parameter, preventing redirects to external domains
  • Deploy a web‑application firewall or similar rule set to block requests with leading slashes or external domain names in the next parameter and monitor for phishing attempts

Generated by OpenCVE AI on May 5, 2026 at 17:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qh7q-6qm3-653w Jupyter Server has an open redirection vulnerability in `next` query parameter
History

Sat, 16 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:jupyter:jupyter_server:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Tue, 05 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Jupyter
Jupyter jupyter Server
Vendors & Products Jupyter
Jupyter jupyter Server

Tue, 05 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 05 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.
Title jupyter_server next parameter open redirect can redirect users to external domains
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N'}

Subscriptions

Jupyter Jupyter Server
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T20:16:59.332Z

Reserved: 2025-09-29T20:25:16.180Z

Link: CVE-2025-61669

cve-icon Vulnrichment

Updated: 2026-05-05T20:16:10.899Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-05T16:16:10.133

Modified: 2026-05-11T13:01:45.537

Link: CVE-2025-61669

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-05T15:28:43Z

Links: CVE-2025-61669 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:30:05Z

Weaknesses