CVE-2024-41177: Apache Zeppelin: XSS in the Helium module

August 3, 2025 (updated August 4, 2025)

Incomplete Blacklist to Cross-Site Scripting vulnerability in Apache Zeppelin.

This issue affects Apache Zeppelin: before 0.12.0.

Users are recommended to upgrade to version 0.12.0, which fixes the issue.

References

github.com/advisories/GHSA-p288-459w-jxj6
github.com/apache/zeppelin
github.com/apache/zeppelin/pull/4755
github.com/apache/zeppelin/pull/4795
lists.apache.org/thread/nwh8vh9f3pnvt04n8z4g2kbddh62blr6
nvd.nist.gov/vuln/detail/CVE-2024-41177

Code Behaviors & Features

Detect and mitigate CVE-2024-41177 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →