Bug 2454048
| Summary: | CVE-2026-4800 python-jupyterlab-widgets: lodash: Arbitrary code execution via untrusted input in template imports [fedora-all] | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Jon Moroney <jmoroney> |
| Component: | python-jupyterlab-widgets | Assignee: | Lumír Balhar <lbalhar> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | rawhide | CC: | lbalhar, romain.geissler |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | {"flaws": ["9bea0361-156d-4476-b60c-effb975141e0"]} | ||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2026-06-14 15:05:25 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 2453496 | ||
|
Description
Jon Moroney
2026-04-01 20:24:07 UTC
jupyterlab_widgets bundles only lodash.isEqual (and its internal dependencies) via backbone.js. The _.template() function and all code paths leading to the vulnerable Function() constructor call are not compiled into the shipped static bundle. The templateSettings symbol present in the bundle belongs to underscore.js (backbone's dependency), not lodash. |