GHSA-6vxv-wg6j-5qwp
Gogs: XSS in .ipynb files renderer due to outdated notebookjs
Details
### Summary
Gogs renders Jupyter notebook files (`.ipynb`) using [jsvine/notebookjs](https://github.com/jsvine/notebookjs), but the version is outdated, missing patches for known XSS vulnerabilities.
### Details
Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:
https://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47
The latest version of [jsvine/notebookjs](https://github.com/jsvine/notebookjs) is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.
### PoC
1. Create a new repository 2. Create a file inside the repository named `xss.ipynb` and give it the following content:
```json {"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2} ```
<img width="1054" height="208" alt="image" src="https://github.com/user-attachments/assets/49b7f33c-c4df-4537-99e9-b1ea74f2c6de" />
3. Save the file and view the file in Gogs. Notice that the XSS popup triggers:
<img width="1317" height="407" alt="image" src="https://github.com/user-attachments/assets/3b18d870-7194-41b0-92db-687e952abc07" />
### Impact
Any user with rights to create repositories can create XSS payloads that take over the victim's account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.
Are you affected?
Enter the version of the package you're using.