GHSA-F962-V9HR-PFG5

Vulnerability from github – Published: 2026-06-19 19:36 – Updated: 2026-06-19 19:36
VLAI
Summary
jupyterlab-git extension: Stored XSS leading to RCE
Details

Overview

Amazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the PlainTextDiff.ts component, where the createHeader() method passes Git filenames directly to innerHTML without sanitization when rendering diffs for renamed files in commit history. This allows an adversary to craft a filename containing arbitrary HTML/JavaScript that executes when another user views the rename diff in the Git History tab.

The issue can be leveraged through the rename history view in the JupyterLab Git panel. An adversary creates a file with a crafted filename containing a JavaScript payload (e.g., .py), renames the file in a subsequent commit, and pushes to a shared repository. When a victim clones the repository, navigates to the Git History tab, clicks the rename commit, and then clicks the renamed file to view the diff, the unsanitized filename renders via innerHTML, executing arbitrary JavaScript in the victim's browser session. The injected JavaScript reads the xsrf cookie, opens a JupyterLab terminal via POST /api/terminals, connects via WebSocket, and executes arbitrary shell commands — achieving full RCE. An adversary can leverage this to exfiltrate secrets or credentials from the victim's environment.

Scope of impact

We discovered this issue during internal security testing. The issue is present in the default configuration of JupyterLab when the jupyterlab-git extension is installed.

The attack requires:

  • The adversary to have commit access to a Git repository that the victim has cloned

  • The victim to navigate to the Git History tab, click the rename commit, and click the renamed file to view the diff

The issue could allow an actor who has access to a shared Git repository to execute arbitrary JavaScript in another user's JupyterLab environment by committing a file with a crafted filename, potentially leading to remote code execution with access to user code, data, environment variables, and credentials.

Proof of concept

The issue exists in the createHeader() method where filenames from rename history are passed directly to innerHTML without sanitization:

[1] https://github.com/jupyterlab/jupyterlab-git/blob/main/src/components/diff/PlainTextDiff.ts#L214

Attack flow:

  1. An adversary creates a file with a crafted filename containing a JavaScript payload, e.g., .py

  2. The adversary renames the file in a subsequent commit and pushes both commits to a shared Git repository

  3. The victim clones or pulls the repository and navigates to the Git History tab in JupyterLab

  4. The victim clicks the rename commit, then clicks the renamed file to view the diff

  5. The createHeader() method constructs a diff header using string concatenation with the unsanitized filename and assigns the result to innerHTML

  6. The injected JavaScript executes in the victim's browser session, reads the _xsrf cookie, sends a POST request to /api/terminals to open a JupyterLab terminal, connects via WebSocket, and executes arbitrary shell commands

Proof-of-concept mitigation

The issue can be mitigated by replacing innerHTML with textContent for filename rendering in the createHeader() method of PlainTextDiff.ts. Alternatively, proper HTML sanitization (escaping <, >, &, ", ') can be applied before inserting user-controlled filenames into the DOM.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.54.0a1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab-git"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.30.0b3"
            },
            {
              "fixed": "0.54.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.54.0a1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "jupyterlab-git-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.30.0b3"
            },
            {
              "fixed": "0.54.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 0.54.0-a1"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@jupyterlab/git"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.30.0b3"
            },
            {
              "fixed": "0.54.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54527"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:36:04Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "Overview\n\nAmazon Web Services (AWS) Security has identified a stored cross-site scripting (XSS) issue in the jupyterlab-git JupyterLab extension that can lead to remote code execution (RCE). The issue exists in the\u00a0PlainTextDiff.ts component, where the createHeader() method passes Git filenames directly to innerHTML without sanitization when rendering diffs for renamed files in commit history. This allows an adversary to\u00a0craft a filename containing arbitrary HTML/JavaScript that executes when another user views the rename diff in the Git History tab.\n\nThe issue can be leveraged through the rename history view in the JupyterLab Git panel. An adversary creates a file with a crafted filename containing a JavaScript payload (e.g.,\u00a0\u003cimg src=x onerror=eval(atob(\"base64_payload\"))\u003e.py), renames the file in a subsequent commit, and pushes to a shared repository. When a victim clones the repository, navigates to the Git History tab, clicks the\u00a0rename commit, and then clicks the renamed file to view the diff, the unsanitized filename renders via innerHTML, executing arbitrary JavaScript in the victim\u0027s browser session. The injected JavaScript reads the\u00a0xsrf cookie, opens a JupyterLab terminal via POST /api/terminals, connects via WebSocket, and executes arbitrary shell commands \u2014 achieving full RCE. An adversary can leverage this to exfiltrate secrets or\u00a0credentials from the victim\u0027s environment.\n\n\n\nScope of impact\n\nWe discovered this issue during internal security testing. The issue is present in the default configuration of JupyterLab when the jupyterlab-git extension is installed.\n\nThe attack requires:\n\n- The adversary to have commit access to a Git repository that the victim has cloned\n\n- The victim to navigate to the Git History tab, click the rename commit, and\u00a0click the renamed file to view the diff\n\n\n\nThe issue could allow an actor who has access to a shared Git repository to execute arbitrary JavaScript in another user\u0027s JupyterLab environment by committing a file with a crafted filename, potentially leading to remote code execution with access to user code, data, environment variables, and credentials.\n\n\n\nProof of concept\n\nThe issue exists in the createHeader() method where filenames from rename history are passed directly to innerHTML without sanitization:\n\n[1] https://github.com/jupyterlab/jupyterlab-git/blob/main/src/components/diff/PlainTextDiff.ts#L214\n\n\n\nAttack flow:\n\n1. An adversary creates a file with a crafted filename containing a JavaScript payload, e.g., \u003cimg src=x onerror=eval(atob(\"base64_payload\"))\u003e.py\n\n2. The adversary renames the file in a subsequent commit and pushes both commits to a shared Git repository\n\n3. The victim clones or pulls the repository and navigates to the Git History tab in JupyterLab\n\n4. The victim clicks the rename commit, then clicks the renamed file to view the diff\n\n5. The createHeader() method constructs a diff header using string concatenation with the unsanitized filename and assigns the result to innerHTML\n\n6. The injected JavaScript executes in the victim\u0027s browser session, reads the _xsrf cookie, sends a POST request to /api/terminals to open a JupyterLab terminal, connects via WebSocket, and executes arbitrary\u00a0shell commands\n\n\n\nProof-of-concept mitigation\n\nThe issue can be mitigated by replacing innerHTML with textContent for filename rendering in the createHeader() method of PlainTextDiff.ts. Alternatively, proper HTML sanitization (escaping \u003c, \u003e, \u0026, \", \u0027) can be\u00a0applied before inserting user-controlled filenames into the DOM.",
  "id": "GHSA-f962-v9hr-pfg5",
  "modified": "2026-06-19T19:36:04Z",
  "published": "2026-06-19T19:36:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-f962-v9hr-pfg5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jupyterlab/jupyterlab-git"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "jupyterlab-git extension: Stored XSS leading to RCE"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…