CVE-2025-61669

Publication date 5 May 2026

Last updated 13 May 2026

Ubuntu priority

Description

Jupyter Server is the backend for Jupyter web applications. In jupyter_server versions through 2.17.0, the next query parameter in the login flow is insufficiently validated in `LoginFormHandler._redirect_safe()`, which allows redirects to arbitrary external domains via values such as `///example.com`. An attacker can use a crafted login URL to redirect users to a malicious site and facilitate phishing attacks. This issue is fixed in version 2.18.0.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
jupyter-server	26.04 LTS resolute	Needs evaluation
	25.10 questing	Needs evaluation
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Needs evaluation

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-61669
https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-qh7q-6qm3-653w

CVE-2025-61669

Description

Status

References

Other references

Access our resources on patching vulnerabilities