2399757 – (CVE-2025-59842) CVE-2025-59842 jupyterlab: JupyterLab LaTeX typesetter links did not enforce `noopener` attribute

Bug 2399757 (CVE-2025-59842) - CVE-2025-59842 jupyterlab: JupyterLab LaTeX typesetter links did not enforce `noopener` attribute

Summary: CVE-2025-59842 jupyterlab: JupyterLab LaTeX typesetter links did not enforce ...

Keywords:
Status:	NEW
Alias:	CVE-2025-59842
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2399841 2399842 2399843 2399844 2399845 2399846 2399847 2399848 2399849 2399850 2399851 2399852
Blocks:
TreeView+	depends on / blocked

Reported:	2025-09-26 16:01 UTC by OSIDB Bzimport
Modified:	2025-09-26 21:34 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-09-26 16:01:30 UTC

jupyterlab is an extensible environment for interactive and reproducible computing, based on the Jupyter Notebook Architecture. Prior to version 4.4.8, links generated with LaTeX typesetters in Markdown files and Markdown cells in JupyterLab and Jupyter Notebook did not include the noopener attribute. This is deemed to have no impact on the default installations. Theoretically users of third-party LaTeX-rendering extensions could find themselves vulnerable to reverse tabnabbing attacks if links generated by those extensions included target=_blank (no such extensions are known at time of writing) and they were to click on a link generated in LaTeX (typically visibly different from other links). This issue has been patched in version 4.4.8.

Note You need to log in before you can comment on or make changes to this bug.