GHSA-cj5w-8mjf-r5f8

Suggest an improvement
Source
https://github.com/advisories/GHSA-cj5w-8mjf-r5f8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-cj5w-8mjf-r5f8/GHSA-cj5w-8mjf-r5f8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cj5w-8mjf-r5f8
Aliases
Related
Published
2025-04-04T14:05:42Z
Modified
2025-04-04T14:57:28.012617Z
Severity
  • 7.4 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H CVSS Calculator
Summary
jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"
Details

Overview

On many platforms, a third party can create a Git repository under a name that includes a shell command substitution [^1] string in the syntax $(<command>). These directory names are allowed in macOS and a majority of Linux distributions [^2]. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command <command> is run in the user's shell without the user's permission.

This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd <git-repo-path> through the shell to set the current directory [^3]. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix [^4].

Scope of Impact

This issue allows for arbitrary code execution via command injection. A wide range of actions are permitted by this issue, including but not limited to: modifying files, exfiltrating data, halting services, or compromising the server's security rules.

We have scanned the source code of jupyterlab-git for other command injection risks, and have not found any at the time of writing.

This issue was reproduced on the latest release of jupyterlab-git, v0.51.0. The steps taken to reproduce this issue are described in the "Proof-of-concept" section below.

Proof-of-concept

  1. Create a new directory via mkdir test/ && cd test/.

  2. Create a new Git repository under test/ with a command substitution string in the directory name by running these commands:

    mkdir '$(touch pwned.txt)'
    cd '$(touch pwned.txt)/'
    git init
    cd ..
    
  3. Start JupyterLab from test/ by running jupyter lab.

  4. With JupyterLab open in the browser, double click on $(touch pwned.txt) in the file browser.
  5. From the top menu bar, click "Git > Open Git Repository in Terminal".
  6. Verify that pwned.txt is created under test/. This demonstrates the command injection issue described here.

Proof-of-concept mitigation

The issue can be mitigated by the patch shown below.

<details><summary>Patch (click to expand)</summary>

diff --git a/src/commandsAndMenu.tsx b/src/commandsAndMenu.tsx
index 3779a6c..71ddcea 100644
--- a/src/commandsAndMenu.tsx
+++ b/src/commandsAndMenu.tsx
@@ -164,31 +164,13 @@ export function addCommands(
     label: trans.__('Open Git Repository in Terminal'),
     caption: trans.__('Open a New Terminal to the Git Repository'),
     execute: async args => {
-      const main = (await commands.execute(
-        'terminal:create-new',
-        args
-      )) as MainAreaWidget<ITerminal.ITerminal>;
+      const cwd = gitModel.pathRepository;
+      const main = (await commands.execute('terminal:create-new', {
+        ...args,
+        cwd
+      })) as MainAreaWidget<ITerminal.ITerminal>;

-      try {
-        if (gitModel.pathRepository !== null) {
-          const terminal = main.content;
-          terminal.session.send({
-            type: 'stdin',
-            content: [
-              `cd "${gitModel.pathRepository
-                .split('"')
-                .join('\\"')
-                .split('`')
-                .join('\\`')}"\n`
-            ]
-          });
-        }
-
-        return main;
-      } catch (e) {
-        console.error(e);
-        main.dispose();
-      }
+      return main;

</details>

This patch removes the cd <git-repo-path> shell command that causes the issue. To preserve the existing behavior, the cwd argument is set to <git-repo-path> when a terminal session is created via the terminal:create-new JupyterLab command. This preserves the existing application behavior while mitigating the command injection issue.

We have verified that this patch works when applied to a local installation of jupyterlab-git. We have also verified that the cwd argument is available in all versions of JupyterLab 4, so this patch should be fully backwards-compatible.

Workarounds

We recommend that users upgrade to the patched versions listed on this GHSA. However, if a user is unable to upgrade, there are 3 different ways to mitigate this vulnerability without upgrading to a patch.

  1. Disable terminals on jupyter-server level:

    c.ServerApp.terminals_enabled =  False
    
  2. Disable the terminals server extension:

    jupyter server extension disable jupyter_server_terminals
    
  3. Disable the lab extension:

    jupyter labextension disable @jupyterlab/terminal-extension
    
Database specific
{
    "nvd_published_at": "2025-04-03T22:15:21Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-04T14:05:42Z"
}
References

Affected packages

PyPI / jupyterlab-git

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.51.1

Affected versions

0.*

0.1.1
0.1.2
0.2.0
0.2.2
0.3.0
0.4.4
0.5.0
0.6.0
0.6.1
0.8.0
0.8.1
0.9.0rc1
0.9.0
0.9.1
0.10.0
0.10.1rc0
0.10.1
0.11.0rc0
0.11.0rc1
0.11.0
0.20.0rc0
0.20.0
0.21.0a0
0.21.0a1
0.21.0rc0
0.21.0
0.21.1
0.22.0
0.22.1
0.22.2
0.22.3
0.23.0
0.23.1
0.23.2
0.23.3
0.24.0
0.30.0b1
0.30.0b2
0.30.0b3
0.30.0
0.30.1
0.31.0a0
0.31.0
0.32.0
0.32.1
0.32.2
0.32.3
0.32.4
0.33.0
0.34.0
0.34.1
0.34.2
0.35.0
0.36.0
0.37.0
0.37.1
0.38.0
0.39.0
0.39.1
0.39.2
0.39.3
0.40.0
0.40.1
0.41.0
0.42.0rc0
0.42.0
0.43.0
0.44.0
0.50.0a0
0.50.0a1
0.50.0a2
0.50.0rc0
0.50.0
0.50.1
0.50.2
0.51.0