JupyterLab Extension Manager Allow-List Bypass Vulnerability

A vulnerability exists in JupyterLab versions 4.0.0 prior to 4.5.6, where the allow-list for extensions that can be installed from the PyPI Extension Manager is not properly enforced. This flaw allows packages from outside the default PyPI index to be installed, potentially undermining security measures in multi-tenant deployments or environments with restricted package installation.

Impact

Exploitation of this vulnerability could lead to unauthorized privilege escalation, allowing an authenticated user to access and manipulate data or resources they should not have permission to, and potentially compromise the server infrastructure.

Remediation

Users should update JupyterLab to version 4.5.7, which includes the necessary patch. For applications that depend on JupyterLab, such as Notebook v7+, the 'jupyterlab' package should also be updated. As an additional step, users can switch to a read-only extension manager to prevent unauthorized installations.