CVE-2018-19351
Description
Jupyter Notebook before 5.7.1 allows XSS via an untrusted notebook because nbconvert responses are considered to have the same origin as the notebook server. In other words, nbconvert endpoints can execute JavaScript with access to the server API. In notebook/nbconvert/handlers.py, NbconvertFileHandler and NbconvertPostHandler do not set a Content Security Policy to prevent this.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jupyter Notebook before 5.7.1 allows cross-site scripting (XSS) via untrusted notebooks because nbconvert endpoints lack a Content Security Policy.
Vulnerability
Jupyter Notebook versions prior to 5.7.1 contain a cross-site scripting (XSS) vulnerability in the nbconvert endpoints. The NbconvertFileHandler and NbconvertPostHandler in notebook/nbconvert/handlers.py do not set a Content Security Policy (CSP) header. As a result, responses from nbconvert are treated as having the same origin as the notebook server, allowing arbitrary JavaScript execution when a user opens a malicious notebook [1][4]. The vulnerability is triggered when a user converts or exports an untrusted notebook (e.g., via "Download as" or "Print Preview") [1].
Exploitation
An attacker can craft a notebook containing malicious JavaScript code. When a victim user opens that notebook and triggers an nbconvert operation (such as exporting to HTML or PDF), the malicious script executes in the context of the notebook server's origin. No special network position or authentication is required beyond the victim having access to the notebook server and opening the crafted notebook [1]. The attacker does not need write access to the server; the notebook can be shared via any means (e.g., email, upload).
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser with access to the notebook server's API. This can lead to data theft (e.g., reading notebook contents, accessing server resources), modification of notebooks, or further attacks against the server and other users [1]. The impact is limited to the same-origin context of the notebook server, but since the server API is accessible, the attacker can perform actions as the victim user.
Mitigation
The vulnerability is fixed in Jupyter Notebook version 5.7.1, released on 2018-11-18 [2]. Users should upgrade to at least version 5.7.1. Note that Notebook v5 is no longer maintained; users are strongly advised to upgrade to Classic Notebook v6 or Notebook v7 [2][3]. No workaround is available for unpatched versions. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
notebookPyPI | < 5.7.1 | 5.7.1 |
Affected products
1Patches
1107a89fce5f4Apply CSP sandboxing for nbconvert responses
1 file changed · +14 −0
notebook/nbconvert/handlers.py+14 −0 modified@@ -78,6 +78,13 @@ class NbconvertFileHandler(IPythonHandler): SUPPORTED_METHODS = ('GET',) + @property + def content_security_policy(self): + # In case we're serving HTML/SVG, confine any Javascript to a unique + # origin so it can't interact with the notebook server. + return super(NbconvertFileHandler, self).content_security_policy + \ + "; sandbox allow-scripts" + @web.authenticated def get(self, format, path): @@ -145,6 +152,13 @@ def get(self, format, path): class NbconvertPostHandler(IPythonHandler): SUPPORTED_METHODS = ('POST',) + @property + def content_security_policy(self): + # In case we're serving HTML/SVG, confine any Javascript to a unique + # origin so it can't interact with the notebook server. + return super(NbconvertPostHandler, self).content_security_policy + \ + "; sandbox allow-scripts" + @web.authenticated def post(self, format): exporter = get_exporter(format, config=self.config)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-49qr-xh3w-h436ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-19351ghsaADVISORY
- github.com/jupyter/notebook/blob/master/docs/source/changelog.rstghsax_refsource_MISCWEB
- github.com/jupyter/notebook/commit/107a89fce5f413fb5728c1c5d2c7788e1fb17491ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2018-17.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/mitrex_refsource_MISC
- lists.debian.org/debian-lts-announce/2020/11/msg00033.htmlghsamailing-listx_refsource_MLISTWEB
- pypi.org/project/notebook/ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.