Jupyter Server Origin Header Validation Bypass Vulnerability Allowing CORS Misconfiguration

A vulnerability in Jupyter Server in versions through 2.17.0 allows for CORS origin validation bypass. The issue arises because the `allow_origin_pat` configuration is evaluated using Python's `re.match()`, which only anchors at the start of the string. This behavior can be exploited by an attacker controlling a domain that prefixes a trusted origin, bypassing CORS restrictions and enabling cross-origin requests to the Jupyter Server API from untrusted sites.

Impact

Exploitation of this vulnerability could lead to unauthorized cross-origin requests being made to the Jupyter Server API, potentially allowing for unauthorized actions or data access on behalf of the user.

Reproduction

To reproduce this vulnerability, set the `allow_origin_pat` configuration to a pattern that matches a trusted domain, such as `https://trusted.example.com`. Then, send a request from a domain that prefixes this trusted origin, such as `https://trusted.example.com.evil.com`. The request will bypass CORS restrictions and be accepted by the server.

Remediation

Users can update to Jupyter Server version 2.18.0 or later, where this vulnerability has been fixed. Additionally, review and adjust the `allow_origin_pat` configuration to ensure it does not rely on prefix matching.