GHSA-24qx-w28j-9m6p
Jupyter Server has a CORS Origin Validation Bypass via `re.match()` in `allow_origin_pat` (from huntr)
Details
Jupyter Server uses `re.match()` to validate the Origin header against the `allow_origin_pat` configuration.
Since `re.match()` only anchors at the start of the string, an attacker who controls a domain like `http://trusted.example.com.evil.com/` passes validation against a pattern intended to match only `trusted.example.com`.
### Impact
<=2.17.0
### Patches
057869a327c46730afede3eab0ca2d2e3e74acea, 49b34392feaa97735b3b777e3baf8f22f2a14ed8
### Workarounds
Wrap your `allow_origin_pat` value with `^` and `$`
### References
https://github.com/jupyter-server/jupyter_server/pull/603 https://docs.python.org/3/library/re.html#re.fullmatch https://docs.python.org/3/library/re.html#re.match
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 2.18.0 pip install --upgrade 'jupyter-server>=2.18.0' References
- https://github.com/jupyter-server/jupyter_server/security/advisories/GHSA-24qx-w28j-9m6p [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2026-40110 [ADVISORY]
- https://github.com/jupyter-server/jupyter_server/pull/603 [WEB]
- https://github.com/jupyter-server/jupyter_server/commit/057869a327c46730afede3eab0ca2d2e3e74acea [WEB]
- https://github.com/jupyter-server/jupyter_server/commit/49b34392feaa97735b3b777e3baf8f22f2a14ed8 [WEB]
- https://github.com/jupyter-server/jupyter_server [PACKAGE]