CVE-2025-23205

Source
https://nvd.nist.gov/vuln/detail/CVE-2025-23205
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-23205.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2025-23205
Aliases
Published
2025-01-17T21:15:11Z
Modified
2025-01-18T08:49:45.791943Z
Summary
[none]
Details

nbgrader is a system for assigning and grading notebooks. Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enable_subdomains = False. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has full access to the contents of the page served by formgrader using Bob's credentials. This issue has been addressed in release 0.9.5 and all users are advised to upgrade. Users unable to upgrade may disable frame-ancestors: self, or enable per-user and per-service subdomains with JupyterHub.enable_subdomains = True (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame).

References

Affected packages

Git / github.com/jupyter/nbgrader

Affected ranges

Type
GIT
Repo
https://github.com/jupyter/nbgrader
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

0.*

0.1.0

v0.*

v0.1.0
v0.2.0
v0.3.0
v0.5.0
v0.6.0
v0.7.0
v0.8.0
v0.8.0a0
v0.8.0a1
v0.8.0a2
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.9.0
v0.9.0a0
v0.9.0a1
v0.9.1
v0.9.2
v0.9.3
v0.9.4