JupyterLab (jupyterlab-git extension), Stored XSS leading to RCE, CVE-2026-54527 (High) -DC-Jun2026-506

By /

Listen to this Post

Vulnerability Overview

CVE-2026-54527 is a stored cross-site scripting (XSS) vulnerability in the `jupyterlab-git` extension for JupyterLab, discovered by AWS Security. The flaw resides in the `PlainTextDiff.ts` component, specifically within the `createHeader()` method. When rendering diffs for renamed files in a Git commit history, this method passes Git filenames directly to the `innerHTML` property without any sanitization.
An attacker with commit access to a shared repository can exploit this by creating a file with a malicious filename containing an HTML/JavaScript payload (e.g., <img src=x onerror=eval(atob("base64_payload"))>.py). After renaming the file in a subsequent commit and pushing both changes to the repository, the payload becomes stored in the Git history.
When a victim clones or pulls the repository and views the rename diff in the Git History tab, the unsanitized filename is rendered via innerHTML, executing the attacker’s JavaScript in the victim’s browser. The injected script can read the `_xsrf` cookie, make a POST request to `/api/terminals` to open a new terminal, connect via WebSocket, and execute arbitrary shell commands—leading to full remote code execution (RCE). This allows the attacker to exfiltrate sensitive data, including user code, environment variables, and credentials.
The attack requires the victim to navigate to the Git History tab, click on the rename commit, and then click the renamed file to view the diff.

DailyCVE Form

Platform: JupyterLab
Version: 0.30.0b3 – 0.54.0a1
Vulnerability: Stored XSS
Severity: High
Date: 2026-06-18

Prediction: 2026-06-25

What Undercode Say

Check installed version of jupyterlab-git
pip show jupyterlab-git
Check for vulnerable versions (0.30.0b3 <= version < 0.54.0a1)
pip list --outdated | grep jupyterlab-git

The vulnerability stems from the lack of output encoding in the `createHeader()` method. The following code snippet from `PlainTextDiff.ts` around line 214 demonstrates the unsafe pattern:

// Vulnerable code in PlainTextDiff.ts
createHeader() {
// ...
element.innerHTML = <code><span>${filename}</span></code>; // Unsanitized input
// ...
}

Exploit

Attack Flow:

  1. Craft Payload: Create a file with a malicious filename containing JavaScript. Example: <img src=x onerror=eval(atob("base64_payload"))>.py.
  2. Commit and Push: Commit this file, rename it in a subsequent commit, and push both commits to a shared Git repository.
  3. Victim Interaction: The victim clones or pulls the repository and navigates to the Git History tab in JupyterLab.
  4. Trigger: The victim clicks the rename commit and then clicks the renamed file to view the diff.
  5. Execution: The `createHeader()` method renders the unsanitized filename using innerHTML, executing the JavaScript payload in the victim’s browser.
  6. RCE: The script reads the `_xsrf` cookie, sends a POST to /api/terminals, connects via WebSocket, and executes shell commands.

Example Payload (Base64 encoded):

// Base64 encoded JavaScript to execute a reverse shell
const payload = "cmV2ZXJzZV9zaGVsbC5weQ==";
// The attacker would use: <img src=x onerror=eval(atob("cmV2ZXJzZV9zaGVsbC5weQ=="))>.py

Protection

  • Upgrade: Immediately upgrade `jupyterlab-git` to version 0.54.0 or later, which contains the official patch. 
    pip install --upgrade jupyterlab-git
  • Mitigation (if unable to upgrade): Apply the patch manually by replacing `innerHTML` with `textContent` in the `createHeader()` method of PlainTextDiff.ts. Alternatively, implement proper HTML sanitization (escaping <, >, &, ", ') for all user-controlled filenames before inserting them into the DOM.
  • General Security Practice: Avoid opening untrusted Git repositories or viewing diffs of renamed files from unknown sources until the patch is applied.

Impact

  • Confidentiality: Full access to user code, data, environment variables, and credentials stored in the JupyterLab session.
  • Integrity: Ability to modify files, install malware, or alter the JupyterLab environment.
  • Availability: Potential to halt services or compromise the entire server.
  • Scope: The vulnerability is present in the default configuration of JupyterLab when the `jupyterlab-git` extension is installed. It affects all versions from 0.30.0b3 up to, but not including, 0.54.0.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top