CWE-777

Regular Expression without Anchors

The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.

CVE-2026-40110 (GCVE-0-2026-40110)

Vulnerability from cvelistv5 – Published: 2026-05-05 21:29 – Updated: 2026-05-05 21:29
VLAI?
Title
jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat
Summary
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python's re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0.
Severity ?
7.6 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L
CWE
  • CWE-777 - Regular Expression without Anchors
Assigner
References
Impacted products
Vendor Product Version
jupyter-server jupyter_server Affected: <= 2.17.0
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "jupyter_server",
          "vendor": "jupyter-server",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.17.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, the Origin header validation uses Python\u0027s re.match() to check incoming origins against the allow_origin_pat configuration value. Because re.match() only anchors at the start of the string and does not require a full match, a pattern intended to match only a trusted domain (e.g., trusted.example.com) will also match any origin that begins with that domain followed by additional characters (e.g., trusted.example.com.evil.com). An attacker who controls such a domain can bypass the CORS origin restriction and make cross-origin requests to the Jupyter Server API from an untrusted site. This issue has been fixed in version 2.18.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 7.6,
            "baseSeverity": "HIGH",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "LOW",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-777",
              "description": "CWE-777: Regular Expression without Anchors",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-05T21:29:31.323Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p"
        },
        {
          "name": "https://github.com/jupyter-server/jupyter_server/pull/603",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jupyter-server/jupyter_server/pull/603"
        },
        {
          "name": "https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea"
        },
        {
          "name": "https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8"
        }
      ],
      "source": {
        "advisory": "GHSA-24qx-w28j-9m6p",
        "discovery": "UNKNOWN"
      },
      "title": "jupyter-server CORS origin validation bypass via unanchored regex in allow_origin_pat"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-40110",
    "datePublished": "2026-05-05T21:29:31.323Z",
    "dateReserved": "2026-04-09T01:41:38.536Z",
    "dateUpdated": "2026-05-05T21:29:31.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}
Mitigation

Phase: Implementation

Description:

  • Be sure to understand both what will be matched and what will not be matched by a regular expression. Anchoring the ends of the expression will allow the programmer to define an allowlist strictly limited to what is matched by the text in the regular expression. If you are using a package that only matches one line by default, ensure that you can match multi-line inputs if necessary.

No CAPEC attack patterns related to this CWE.

Back to CWE stats page