Sensitive Auth & Cookie data stored in Jupyter server logs
Description
The Jupyter Server provides the backend (i.e. the core services, APIs, and REST endpoints) for Jupyter web applications. Prior to version 1.15.4, unauthorized actors can access sensitive information from server logs. Anytime a 5xx error is triggered, the auth cookie and other header values are recorded in Jupyter Server logs by default. Considering these logs do not require root access, an attacker can monitor these logs, steal sensitive auth/cookie information, and gain access to the Jupyter server. Jupyter Server version 1.15.4 contains a patch for this issue. There are currently no known workarounds.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jupyter Server logs sensitive auth cookies on 5xx errors, allowing local attackers to steal credentials and gain server access before version 1.15.4.
Vulnerability
Prior to version 1.15.4, Jupyter Server records the auth cookie and other HTTP header values into server logs whenever a 5xx (server error) response is triggered. This occurs by default in the log configuration, exposing sensitive authentication tokens without requiring elevated privileges to read the log files [1][4].
Exploitation
An attacker with read access to the Jupyter Server logs—these logs do not require root or administrative privileges to view [1]—can monitor the log output. When any 5xx error is triggered (either naturally or perhaps induced by the attacker), the log entry includes the full auth cookie and other header values. The attacker can then extract these credentials from the log and use them to authenticate as the logged-in user [1][4].
Impact
Successful exploitation allows an unauthorized actor to steal sensitive authentication cookies and impersonate a legitimate user, thereby gaining access to the Jupyter Server. The confidentiality and integrity of all Jupyter notebooks, files, and running kernels are compromised, and the attacker can perform any action the victim user could [1][4].
Mitigation
Upgrade to Jupyter Server version 1.15.4, which contains a fix that removes sensitive header values from error logs. No workarounds are currently known [1][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyter-serverPyPI | < 1.15.4 | 1.15.4 |
Affected products
2- jupyter-server/jupyter_serverv5Range: < 1.15.4
Patches
1a5683aca0b0eMerge pull request from GHSA-p737-p57g-4cpr
1 file changed · +6 −2
jupyter_server/log.py+6 −2 modified@@ -50,7 +50,11 @@ def log_request(handler): ns["referer"] = request.headers.get("Referer", "None") msg = msg + " referer={referer}" if status >= 500 and status != 502: - # log all headers if it caused an error - log_method(json.dumps(dict(request.headers), indent=2)) + # Log a subset of the headers if it caused an error. + headers = {} + for header in ['Host', 'Accept', 'Referer', 'User-Agent']: + if header in request.headers: + headers[header] = request.headers[header] + log_method(json.dumps(headers, indent=2)) log_method(msg.format(**ns)) prometheus_log_method(handler)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-p737-p57g-4cprghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-24757ghsaADVISORY
- github.com/jupyter-server/jupyter_server/commit/a5683aca0b0e412672ac6218d09f74d44ca0de5aghsax_refsource_MISCWEB
- github.com/jupyter-server/jupyter_server/security/advisories/GHSA-p737-p57g-4cprghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/jupyter-server/PYSEC-2022-179.yamlghsaWEB
News mentions
0No linked articles in our index yet.