CVE-2025-23205

Advisory

Nbgrader reverted a PR that disabled a protection, which previously allowed user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials would be sent, and the formgrader page would load using his authentication. Because Alice's page shares the same origin as the embedded formgrader iframe, JavaScript on Alice’s page gains full access to the contents of the formgrader page loaded with Bob’s credentials.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

([Full Changelog](https://github.com/jupyter/nbgrader/compare/v0.9.4...73e137511ac1dc02e95790d4fd6d4d88dab42325))

Bugs fixed

- Revert 1915 for security reason [1947](https://github.com/jupyter/nbgrader/pull/1947) ([brichet](https://github.com/brichet))

Maintenance and upkeep improvements

- Bump cross-spawn from 6.0.5 to 6.0.6 [1943](https://github.com/jupyter/nbgrader/pull/1943) ([dependabot](https://github.com/dependabot))

Contributors to this release

([GitHub contributors page for this release](https://github.com/jupyter/nbgrader/graphs/contributors?from=2024-11-18&to=2025-01-17&type=c))

[brichet](https://github.com/search?q=repo%3Ajupyter%2Fnbgrader+involves%3Abrichet+updated%3A2024-11-18..2025-01-17&type=Issues) | [dependabot](https://github.com/search?q=repo%3Ajupyter%2Fnbgrader+involves%3Adependabot+updated%3A2024-11-18..2025-01-17&type=Issues) | [github-actions](https://github.com/search?q=repo%3Ajupyter%2Fnbgrader+involves%3Agithub-actions+updated%3A2024-11-18..2025-01-17&type=Issues)

<!-- <END NEW CHANGELOG ENTRY> -->

Resources

• https://github.com/jupyter/nbgrader/security/advisories/GHSA-fcr8-4r9f-r66m
• https://github.com/jupyter/nbgrader/pull/1947
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23205