We have just released Jupyter Notebook 5.6.0. This release fixes a vulnerability that could allow a maliciously crafted notebook to execute JavaScript when it is opened, bypassing the trusted-notebook mechanism.
We recommend updating the notebook immediately, via pip:
pip install notebook>=5.6.0
or conda:
conda install notebook>=5.6.0
Affected versions: all releases prior to 5.6.0
JupyterLab users are affected, independent of the version of JupyterLab itself. Upgrading the notebook package to 5.6.0 resolves the issue for users of both JupyterLab and the classic notebook.
A CVE has been requested for the vulnerability. Release notes for 5.6.0 and this post will be updated as the CVE is assigned. More details of the vulnerability will be released in 30 days, on August 16, 2018.
Security reports for Jupyter are greatly appreciated. You can report security issues to security@ipython.org.
Thanks to Jonathan Kamens for reporting this issue to the security list.
Security fix for Jupyter Notebook was originally published in Jupyter Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.