CVE-2025-61669 — MEDIUM AI Security Vulnerability

Q: What is CVE-2025-61669?

Jupyter Server has an open redirection vulnerability in `next` query parameter

Q: Is CVE-2025-61669 actively exploited?

No confirmed active exploitation of CVE-2025-61669 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2025-61669?

Update to patched version: jupyter-server 2.18.0.

Q: What is the CVSS score for CVE-2025-61669?

No CVSS score has been assigned yet.

### Summary The `?next=...` URL query parameter has an open redirection vulnerability. In `jupyter_server<=2.17.0`, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users. ### Details The vulnerability is...

Full CISO analysis pending enrichment.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
jupyter-server	pip	<= 2.17.0	`2.18.0`
13.1K OpenSSF 4.8 1.9K dependents Pushed 5d ago 100% patched ~0d to patch Full package profile →

Do you use jupyter-server? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

N/A

Recommended Action

Patch available

Update jupyter-server to version 2.18.0

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2025-61669?

Jupyter Server has an open redirection vulnerability in `next` query parameter

Is CVE-2025-61669 actively exploited?

No confirmed active exploitation of CVE-2025-61669 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-61669?

Update to patched version: jupyter-server 2.18.0.

What is the CVSS score for CVE-2025-61669?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary The `?next=...` URL query parameter has an open redirection vulnerability. In `jupyter_server<=2.17.0`, this URL query parameter allows redirection to arbitrary external domains, which can be exploited to facilitate phishing attacks on server users. ### Details The vulnerability is caused by insufficient validation in the `LoginFormHandler._redirect_safe()` method. - Source code reference: https://github.com/jupyter-server/jupyter_server/blob/987ebdd5e188cdc49751b01a0d6782d686492a53/jupyter_server/auth/login.py#L33-L76 This vulnerability was originally reported by Noriaki Iwasaki. All discovery credit goes to them. ### PoC 1. Navigate to `http://localhost:8888/login?next=///google.com` 2. Observe that the user is redirected to `google.com` despite it being an external domain. The external domain passed in the `?next` parameter may be replaced with a malicious lookalike to facilitate phishing attacks. Jupyter Server deployments served on a public domain are especially vulnerable, as `prod.company.com` may be redirected to a look-alike URL such as `prod.company.dev`. ### Impact This vulnerability affects all users, especially enterprise users who work with sensitive/confidential data. ### Patches Jupyter Server 2.18+ ### Workaround None.