JupyterHub Cross-Origin XSRF Protection Bypass Vulnerability

A vulnerability in JupyterHub versions 4.1.0 prior to 5.4.5 allows cross-site request forgery (XSRF) protection to be bypassed. The issue arises because requests with 'Sec-Fetch-Mode: no-cors' are incorrectly treated as same-origin, leading to a failure in XSRF checks. This vulnerability affects HTTP form endpoints, such as '/hub/spawn' and '/hub/accept-share', but does not impact the JSON API. As a result, an attacker could trigger a server to spawn (without accessing it) or, if they are a JupyterHub user allowed to share their server, cause another user to accept a share and gain access to the attacker's server.

Impact

Exploitation of this vulnerability could lead to unauthorized server spawning or, for users permitted to share their JupyterHub server, allow an attacker to gain access to their server through the acceptance of a shared access request.

Remediation

Users can upgrade to JupyterHub version 5.4.5 to address this vulnerability. If a reverse proxy is used, requests to JupyterHub with 'Sec-Fetch-Mode: no-cors' should be dropped.