CVE-2025-59842

JupyterLab LaTeX typesetter links did not enforce `noopener` attribute

CVSS 2.1 LOWEPSS 0.2%CWE-1022

In short

Links generated by LaTeX typesetters in JupyterLab didn't include the `noopener` attribute, which could theoretically allow a reverse tabnabbing attack if a user clicked a specially crafted link. This only affects third-party LaTeX extensions and poses minimal risk in default setups.

Technical detail

LaTeX-rendered links in Markdown cells lacked the `noopener` attribute, enabling potential reverse tabnabbing attacks where a malicious link with `target=_blank` could access the opener window's location object. This vulnerability requires user interaction (clicking a LaTeX-generated link) and only manifests with third-party LaTeX extensions that generate such links; default JupyterLab installations are unaffected.

Summary generated and translated by AI from the official description.

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8.

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

jupyterlab · jupyterlab

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/jupyterlab/jupyterlab/commit/88ef373039a8cc09f27d3814382a512d9033675c https://github.com/jupyterlab/jupyterlab/security/advisories/GHSA-vvfj-2jqx-52jm