CVE-2025-23205: nbgrader's `frame-ancestors: self` grants all users access to formgrader
Enabling frame-ancestors: ‘self’ grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enable_subdomains = False.
References
- github.com/advisories/GHSA-fcr8-4r9f-r66m
- github.com/jupyter/nbgrader
- github.com/jupyter/nbgrader/commit/73e137511ac1dc02e95790d4fd6d4d88dab42325
- github.com/jupyter/nbgrader/pull/1915
- github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m
- jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html
- nvd.nist.gov/vuln/detail/CVE-2025-23205
Detect and mitigate CVE-2025-23205 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →