Update dependency jupyter-server to v2.18.0 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
jupyter-server	==2.16.0 → ==2.18.0

---

Jupyter Server has an open redirection vulnerability in next query parameter

CVE-2025-61669 / GHSA-qh7q-6qm3-653w

More information

Details

Summary

The ?next=... URL query parameter has an open redirection vulnerability. In jupyter_server<=2.17.0, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users.

Details

The vulnerability is caused by insufficient validation in the LoginFormHandler._redirect_safe() method.

• Source code reference: https://github.com/jupyter-server/jupyter_server/blob/987ebdd5e188cdc49751b01a0d6782d686492a53/jupyter_server/auth/login.py#L33-L76

This vulnerability was originally reported by Noriaki Iwasaki. All discovery credit goes to them.

PoC

1. Navigate to http://localhost:8888/login?next=///google.com
2. Observe that the user is redirected to google.com despite it being an external domain.

The external domain passed in the ?next parameter may be replaced with a malicious lookalike to facilitate phishing attacks. Jupyter Server deployments served on a public domain are especially vulnerable, as prod.company.com may be redirected to a look-alike URL such as prod.company.dev.

Impact

This vulnerability affects all users, especially enterprise users who work with sensitive/confidential data.

Patches

Jupyter Server 2.18+

Workaround

None.

Severity

• CVSS Score: 6.0 / 10 (Medium)
• Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

References

• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w
• https://github.com/advisories/GHSA-qh7q-6qm3-653w

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Jupyter Server: Path Traversal via incorrect startswith() root directory check allows access to sibling directories

CVE-2026-35397 / GHSA-5789-5fc7-67v3

More information

Details

Summary

Jupyter Server <=2.17.0 can access directories sibling to the root directory, if it starts with the root dir's name.

PoC

Minimal:

.
├── test/              <- root directory.
│   └── test.txt
└── testtest/
    └── secret.txt     <- file to exfiltrate that we should not be able to access via API

HOST="http://localhost:8888"
TOKEN=""
SIBLING="testtest"
TARGET="secret.txt"

curl -s -X POST \
  "$HOST/api/contents/%2e%2e/$SIBLING/$TARGET/checkpoints" \
  -H "Authorization: token $TOKEN"

Full PoC by @​stef41: https://gist.github.com/Yann-P/66d4982a965dee8fcb8dd89db29e7006

Impact

It is possible for an authenticated user to access content outside the server's root_dir in siblings directories sharing the same prefix as the root_dir. The attacker can escalate access, reading, writing, and deleting from sibling directories.

This can have a tangible impact for deployments using predictable naming scheme with multi-tenant server, for example user1, user2, user3, ..., user10 etc, as user1 could access and modify files of all user10 - user19 and higher.

In a hypothetical system where users can choose a name of their folder, an attacker could choose a single-letter username to gain access to a significant number of sibling directories.

Workarounds

Use folder names that do not overlap.

Acknowledgments

Thank you to @​stef41 for providing a useful PoC.

Severity

• CVSS Score: 7.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

References

• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5789-5fc7-67v3
• https://github.com/advisories/GHSA-5789-5fc7-67v3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Jupyter Server has a CORS Origin Validation Bypass via re.match() in allow_origin_pat (from huntr)

CVE-2026-40110 / GHSA-24qx-w28j-9m6p

More information

Details

Jupyter Server uses re.match() to validate the Origin header against the allow_origin_pat configuration.

Since re.match() only anchors at the start of the string, an attacker who controls a domain like http://trusted.example.com.evil.com/ passes validation against a pattern intended to match only trusted.example.com.

Impact

<=2.17.0

Patches

057869a327c46730afede3eab0ca2d2e3e74acea, 49b34392feaa97735b3b777e3baf8f22f2a14ed8

Workarounds

Wrap your allow_origin_pat value with ^ and $

References

https://github.com/jupyter-server/jupyter_server/pull/603
https://docs.python.org/3/library/re.html#re.fullmatch
https://docs.python.org/3/library/re.html#re.match

Severity

• CVSS Score: 7.6 / 10 (High)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:L/SC:L/SI:L/SA:L

References

• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p
• https://github.com/advisories/GHSA-24qx-w28j-9m6p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Jupyter Server's Authentication Cookies Remain Valid After Password Reset and Server Restart

CVE-2026-40934 / GHSA-5mrq-x3x5-8v8f

More information

Details

Summary

A persistent cookie secret vulnerability allows authenticated users to maintain indefinite access even after password changes.

The cookie secret used to sign authentication cookies is stored in a permanent file (~/.local/share/jupyter/runtime/jupyter_cookie_secret) that is never automatically rotated or cleared, allowing stolen or compromised cookies to remain valid indefinitely regardless of password resets.

PoC

• Start a Jupyter server with password authentication: jupyter server password, jupyter server
• Log in with the password and capture the authentication cookie (e.g., just login with a browser).
• Change the password to revoke access: jupyter server password
• Restart the server
• Use the old stolen cookie => remains valid and provides full authenticated access.

Impact

• All jupyter-server deployments using password authentication where security incidents may occur
• Multi-user systems where one user's compromised session should be revocable by administrators
• Shared or public-facing Jupyter servers where credential rotation is a security requirement
• Any deployment where password changes are expected to revoke existing sessions

Patches

Jupyter Server 2.18+

Workaround

rm ~/.local/share/jupyter/runtime/jupyter_cookie_secret

##### Then restart the server

Severity

• CVSS Score: 6.8 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

References

• https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-5mrq-x3x5-8v8f
• https://github.com/advisories/GHSA-5mrq-x3x5-8v8f

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jupyter-server/jupyter_server (jupyter-server)

v2.18.0

Compare Source

(Full Changelog)

API and Breaking Changes

• Add query param to sanitize HTML in GET /nbconvert/html #​1618 (@​Yann-P, @​Carreau)

Enhancements made

• Update handlers.py to fix ioloop blockers(sync file operations) #​1617 (@​zolyfarkas-fb, @​Carreau)
• Avoid redundant call to _get_os_path in _dir_model #​1547 (@​joeyutong, @​vidartf)
• Allow specifying extra params to scrub from logs #​1538 (@​jtpio, @​Zsailer, @​vidartf)
• Add a logger to the ExtensionPoint API #​1523 (@​Zsailer, @​vidartf)
• Allow user to update identity values #​1518 (@​brichet, @​minrk)
• If ServerApp.ip is ipv6 use [::1] as local_url #​1495 (@​manics, @​afshin)
• Better error message when starting kernel for session. #​1478 (@​Carreau, @​davidbrochart, @​krassowski, @​minrk)
• Add a traitlet to disable recording HTTP request metrics #​1472 (@​yuvipanda, @​Zsailer)
• prometheus: Expose 3 activity metrics #​1471 (@​yuvipanda, @​Zsailer)
• Add prometheus info metrics listing server extensions + versions #​1470 (@​yuvipanda, @​Zsailer)
• Add prometheus metric with version information #​1467 (@​yuvipanda, @​Zsailer)
• Don't hide .so,.dylib files by default #​1457 (@​nokados, @​krassowski, @​minrk, @​vidartf)
• Better hash format error message #​1442 (@​fcollonval, @​Zsailer)
• Removing excessive logging from reading local files #​1420 (@​lresende, @​kevin-bates)
• Add async start hook to ExtensionApp API #​1417 (@​Zsailer, @​Darshan808, @​bollwyvl, @​fcollonval, @​krassowski)
• Do not include token in dashboard link, when available #​1406 (@​minrk, @​blink1073)
• Add an option to have authentication enabled for all endpoints by default #​1392 (@​krassowski, @​Wh1isper, @​blink1073, @​bollwyvl, @​minrk, @​yuvipanda)
• websockets: add configurations for ping interval and timeout #​1391 (@​oliver-sanders, @​blink1073)
• log extension import time at debug level unless it's actually slow #​1375 (@​minrk, @​Zsailer, @​yuvipanda)
• Add support for async Authorizers (part 2) #​1374 (@​Zsailer, @​blink1073)
• Support async Authorizers #​1373 (@​Zsailer, @​blink1073)
• Support get file(notebook) md5 #​1363 (@​Wh1isper, @​blink1073, @​bollwyvl, @​krassowski)
• Update kernel env to reflect changes in session #​1354 (@​blink1073, @​Carreau, @​krassowski)
• Add resolvePath API for resolving kernel-relative paths #​1331 (@​krassowski, @​Carreau, @​blink1073)

Bugs fixed

• Move check origin into a util function and add it to websocket #​1630 (@​Carreau, @​Yann-P)
• Fix flaky test_restart_kernel by unsticking nudge() after port-changing restart #​1628 (@​Carreau, @​claude, @​krassowski)
• Try to fix flaky test "test_restart_kernel" #​1625 (@​Carreau)
• Fix potential unraisable pytest error #​1624 (@​Carreau)
• fix: use %s placeholders in HTTPError to prevent Tornado from doubling % in gateway URLs #​1620 (@​terminalchai, @​krassowski, @​ptch314)
• Fix three file descriptor leaks in kernel connection lifecycle (#​1506) #​1619 (@​tonyx93, @​Carreau)
• Use web.HTTPError for kernel restart failures #​1616 (@​YDawn, @​Carreau)
• Handle EADDRINUSE and EACCES in _bind_http_server_tcp #​1613 (@​YDawn, @​Zsailer, @​minrk)
• Use st_birthtime for file created timestamp on macOS/BSD #​1594 (@​ktaletsk, @​krassowski, @​minrk)
• Fix double write when refusing hidden files in contents handler #​1585 (@​Krish-876, @​minrk)
• Close all sockets in _find_http_port explicitly #​1584 (@​MaryushSoroka, @​minrk)
• Fix writing on remote file systems with attribute cache #​1574 (@​krassowski, @​Zsailer)
• Add IdentityProvider.cookie_secret_hook #​1569 (@​emin63, @​minrk)
• fix context pollution #​1561 (@​dualc, @​Zsailer)
• Fix gateway cookie handling #​1558 (@​kevin-bates, @​RRosio, @​lresende, @​minrk)
• Fix FileNotFoundError handling in rename_file methods #​1548 (@​aws-jasakshi, @​Zsailer, @​dlqqq)
• Use stdlib override when possible #​1532 (@​edrogers, @​bollwyvl, @​krassowski, @​vidartf)
• Update meetings notes link and zoom link #​1517 (@​krassowski, @​afshin, @​minrk)
• Fallback to direct write for readonly dirs and use temp path for checkpoints #​1516 (@​Darshan808, @​afshin, @​krassowski)
• Check file permissions before making tmp file #​1513 (@​RRosio, @​afshin)
• Validate extension name before toggling through CLI #​1509 (@​Darshan808, @​Zsailer, @​afshin, @​krassowski)
• Fix for #​1479 : Incorrect usage of i18n format #​1500 (@​kjayan, @​andrii-i, @​astitv-sh, @​vidartf)
• Fix handling of missing parent header in record activity #​1498 (@​davidbrochart, @​minrk)
• display_url: Don't duplicate public_url and local_url if they are the same #​1494 (@​manics, @​Zsailer, @​krassowski)
• fix connection exception cause high cpu load #​1484 (@​dualc, @​lresende, @​minrk)
• CORS is not checked when browsing files. check origin now #​1459 #​1465 (@​gogasca, @​Zsailer, @​vidartf)
• Return HTTP 400 when attempting to post an event with an unregistered schema #​1463 (@​afshin, @​Zsailer)
• write server extension list to stdout #​1451 (@​minrk)
• don't let ExtensionApp jpserver_extensions be overridden by config #​1447 (@​minrk, @​Zsailer)
• Pass session_id during Websocket connect #​1440 (@​gogasca, @​Zsailer, @​blink1073, @​krassowski)
• Do not log environment variables passed to kernels #​1437 (@​krassowski, @​blink1073, @​minrk)
• extensions: render default templates with default static_url #​1435 (@​minrk, @​Zsailer)
• Improve the busy/idle execution state tracking for kernels. #​1429 (@​ojarjur, @​Zsailer, @​krassowski, @​vidartf)
• Ignore zero-length page_config.json, restore previous behavior of crashing for invalid JSON #​1405 (@​holzman, @​blink1073)
• Don't crash on invalid JSON in page_config (#​1403) #​1404 (@​holzman, @​Zsailer)
• Fix color in windows log console with colorama #​1397 (@​hansepac, @​blink1073, @​jasongrout)
• Fix log arguments for gateway client error #​1385 (@​minrk, @​blink1073)
• Import User unconditionally #​1384 (@​yuvipanda, @​blink1073)
• Fix a typo in error message #​1381 (@​krassowski, @​kevin-bates)
• avoid unhandled error on some invalid paths #​1369 (@​minrk, @​blink1073)
• Change md5 to hash and hash_algorithm, fix incompatibility #​1367 (@​Wh1isper, @​blink1073, @​davidbrochart, @​fcollonval)
• ContentsHandler return 404 rather than raise exc #​1357 (@​bloomsa, @​Wh1isper, @​blink1073)
• Force legacy ws subprotocol when using gateway #​1311 (@​epignot, @​Zsailer)

Maintenance and upkeep improvements

• Start to test on Python 3.13 and 3.14 #​1623 (@​Carreau)
• Fix package spec for jupytext #​1614 (@​krassowski, @​Zsailer)
• chore: update pre-commit hooks #​1607 (@​minrk)
• try to fix ci on windows #​1600 (@​minrk, @​krassowski)
• run prerelease tests on 3.14 #​1599 (@​minrk)
• Pin sphinx to an older version (<9) to fix docs #​1597 (@​krassowski, @​minrk)
• Restore running all tests for Windows in CI workflow #​1581 (@​krassowski, @​Zsailer)
• Fix flaky test_execution_state test #​1579 (@​krassowski, @​Zsailer)
• Fix failing link check due to a blog post referred in docs changing URL format #​1577 (@​krassowski, @​Zsailer)
• Fix lint on CI, pin ruff to the same version in hatch fmt and pre-commit #​1576 (@​krassowski, @​Zsailer)
• Bump actions/checkout from 5 to 6 in the actions group #​1572 (@​minrk)
• don't link check npm #​1568 (@​minrk, @​Zsailer)
• Bump the actions group across 1 directory with 2 updates #​1551 (@​Zsailer)
• Bump brace-expansion from 1.1.11 to 1.1.12 #​1546 (@​minrk)
• Replace @flaky.flaky decorate with pytest marker #​1544 (@​mgorny, @​minrk)
• Fix the failing "Test Lint" check on CI #​1540 (@​jtpio, @​Zsailer, @​krassowski)
• tests: install test-functional requirements for Jupytext downstream tests #​1510 (@​MaicoTimmerman, @​Zsailer, @​krassowski)
• Donation link NF -> LF #​1485 (@​Carreau, @​minrk)
• Handle newer jupyter_events wants string version, drop 3.8 #​1481 (@​Carreau, @​jtpio, @​minrk)
• Ignore unclosed sqlite connection in traits #​1477 (@​cjwatson, @​minrk)
• chore: update pre-commit hooks #​1449 (@​minrk)
• chore: update pre-commit hooks #​1441 (@​blink1073)
• chore: update pre-commit hooks #​1427 (@​blink1073)
• Use hatch fmt command #​1424 (@​blink1073, @​davidbrochart)
• chore: update pre-commit hooks #​1421 (@​blink1073)
• Fix jupytext and lint CI failures #​1413 (@​blink1073)
• Set all min deps #​1411 (@​blink1073)
• chore: update pre-commit hooks #​1409 (@​blink1073)
• Update pytest requirement from <8,>=7.0 to >=7.0,<9 #​1402 (@​blink1073)
• Pin to Pytest 7 #​1401 (@​blink1073)
• Update release workflows #​1399 (@​blink1073)
• chore: update pre-commit hooks #​1390 (@​blink1073)
• Improve warning handling #​1386 (@​blink1073)
• Simplify the jupytext downstream test #​1383 (@​mwouts, @​blink1073)
• Fix test param for pytest-xdist #​1382 (@​tornaria, @​blink1073)
• Update pre-commit deps #​1380 (@​blink1073, @​Zsailer)
• Use ruff docstring-code-format #​1377 (@​blink1073)
• Update for tornado 6.4 #​1372 (@​blink1073)
• chore: update pre-commit hooks #​1370 (@​blink1073)
• Update ruff and typings #​1365 (@​blink1073)
• Clean up ruff config #​1358 (@​blink1073)
• Add more typings #​1356 (@​blink1073)
• chore: update pre-commit hooks #​1355 (@​blink1073)
• Clean up config and address warnings #​1353 (@​blink1073)
• Clean up lint and typing #​1351 (@​blink1073)
• Update typing for traitlets 5.13 #​1350 (@​blink1073)
• Update typings and fix tests #​1344 (@​blink1073)

Documentation improvements

• some docs fixes #​1627 (@​Carreau, @​krassowski)
• Updated dev install instructions #​1622 (@​bloomsa, @​Carreau)
• Fix outdated ContentsManager testing guidance #​1611 (@​terminalchai, @​Zsailer, @​lresende, @​minrk)
• add missing word 'to' #​1596 (@​carlfarrington, @​krassowski, @​minrk)
• Update websocket-protocols documentation to reflect implementation #​1508 (@​ark-1, @​Zsailer)
• Update Security Section in the Jupyter Server Documentation #​1505 (@​kjayan, @​Zsailer)
• Update Contribution Page for Jupyter Server #​1499 (@​kjayan, @​3coins, @​andrii-i, @​danyeaw, @​lresende, @​vidartf)
• Fix typo in metric description #​1486 (@​yuvipanda, @​Zsailer)
• add comments to explain signal handling under jupyterhub #​1452 (@​oliver-sanders, @​Zsailer)
• Update documentation for cookie_secret #​1433 (@​krassowski, @​blink1073, @​minrk)
• Add Changelog for 2.14.1 #​1430 (@​blink1073)
• Update simple extension examples: _jupyter_server_extension_points #​1426 (@​manics, @​blink1073)
• Link to GitHub repo from the docs #​1415 (@​krassowski, @​blink1073)
• docs: list server extensions #​1412 (@​oliver-sanders, @​Zsailer, @​blink1073)
• Update simple extension README to cd into correct subdirectory #​1410 (@​markypizz, @​blink1073)
• Add deprecation note for ServerApp.preferred_dir #​1396 (@​krassowski, @​blink1073)
• Replace _jupyter_server_extension_paths in apidocs #​1393 (@​manics, @​Zsailer, @​blink1073)
• fix "Shutdown" -> "Shut down" #​1389 (@​Timeroot, @​blink1073)
• Enable htmlzip and epub on readthedocs #​1379 (@​bollwyvl, @​blink1073)
• Update api docs with md5 param #​1364 (@​Wh1isper, @​blink1073)
• typo: ServerApp #​1361 (@​IITII, @​blink1073)

Other merged PRs

• Bump actions/create-github-app-token from 2 to 3 in the actions group across 1 directory #​1621 (@​Carreau)
• Bump brace-expansion from 1.1.12 to 1.1.13 #​1615 (@​minrk)

Contributors to this release

The following people contributed discussions, new ideas, code and documentation contributions, and review.
See our definition of contributors.

(GitHub contributors page for this release)

@​3coins (activity) | @​afshin (activity) | @​andrii-i (activity) | @​ark-1 (activity) | @​astitv-sh (activity) | @​aws-jasakshi (activity) | @​blink1073 (activity) | @​bloomsa (activity) | @​bollwyvl (activity) | @​brichet (activity) | @​carlfarrington (activity) | @​Carreau (activity) | @​cjwatson (activity) | @​claude (activity) | @​codecov-commenter (activity) | @​danyeaw (activity) | @​Darshan808 (activity) | @​davidbrochart (activity) | @​dlqqq (activity) | @​dualc (activity) | @​echarles (activity) | @​edrogers (activity) | @​emin63 (activity) | @​epignot (activity) | @​fcollonval (activity) | @​gogasca (activity) | @​hansepac (activity) | @​holzman (activity) | @​IITII (activity) | @​jasongrout (activity) | @​joeyutong (activity) | @​jtpio (activity) | @​kevin-bates (activity) | @​kjayan (activity) | @​krassowski (activity) | @​Krish-876 (activity) | @​ktaletsk (activity) | @​lresende (activity) | @​MaicoTimmerman (activity) | @​manics (activity) | @​markypizz (activity) | @​MaryushSoroka (activity) | @​mgorny (activity) | @​minrk (activity) | @​mwouts (activity) | @​nokados (activity) | @​ojarjur (activity) | @​oliver-sanders (activity) | @​ptch314 (activity) | @​rgbkrk (activity) | @​RRosio ([activity](https://redirect.github.com/search?q=repo%3Ajupyter-server%2Fjupyter_server+invo

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cla-bot]

We require contributors to sign our Contributor License Agreement, and we don't have @renovate[bot] on file. You can sign our CLA at https://e2b.dev/docs/cla . Once you've signed, post a comment here that says '@cla-bot check'

[claude]

⚠️ Code review skipped — your organization has reached its monthly code review spending cap.

An organization admin can view or raise the cap at claude.ai/admin-settings/claude-code. The cap resets at the start of the next billing period.

Once the cap resets or is raised, reopen this pull request to trigger a review.