Debian Security Advisory

DLA-3442-1 nbconvert -- LTS security update

Date Reported:
03 Jun 2023
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2021-32862.
More information:

Alvaro Muñoz from the GitHub Security Lab discovered sixteen ways to exploit a cross-site scripting vulnerability in nbconvert, a tool and library used to convert notebooks to various other formats via Jinja templates.

When using nbconvert to generate an HTML version of a user-controllable notebook, it is possible to inject arbitrary HTML which may lead to cross-site scripting (XSS) vulnerabilities if these HTML notebooks are served by a web server without tight Content-Security-Policy (e.g., nbviewer).

  1. GHSL-2021-1013: XSS in notebook.metadata.language_info.pygments_lexer;
  2. GHSL-2021-1014: XSS in notebook.metadata.title;
  3. GHSL-2021-1015: XSS in notebook.metadata.widgets;
  4. GHSL-2021-1016: XSS in notebook.cell.metadata.tags;
  5. GHSL-2021-1017: XSS in output data text/html cells;
  6. GHSL-2021-1018: XSS in output data image/svg+xml cells;
  7. GHSL-2021-1019: XSS in notebook.cell.output.svg_filename;
  8. GHSL-2021-1020: XSS in output data text/markdown cells;
  9. GHSL-2021-1021: XSS in output data application/javascript cells;
  10. GHSL-2021-1022: XSS in output.metadata.filenames image/png and image/jpeg;
  11. GHSL-2021-1023: XSS in output data image/png and image/jpeg cells;
  12. GHSL-2021-1024: XSS in output.metadata.width/height image/png and image/jpeg;
  13. GHSL-2021-1025: XSS in output data application/vnd.jupyter.widget-state+json cells;
  14. GHSL-2021-1026: XSS in output data application/vnd.jupyter.widget-view+json cells;
  15. GHSL-2021-1027: XSS in raw cells; and
  16. GHSL-2021-1028: XSS in markdown cells.

Some of these vulnerabilities, namely GHSL-2021-1017, -1020, -1021 and -1028, are actually design decisions where text/html, text/markdown, application/javascript and markdown cells should allow for arbitrary JavaScript code execution. These vulnerabilities are therefore left open by default, but users can now opt-out and strip down all JavaScript elements via a new HTMLExporter option sanitize_html.

For Debian 10 buster, this problem has been fixed in version 5.4-2+deb10u1.

We recommend that you upgrade your nbconvert packages.

For the detailed security status of nbconvert please refer to its security tracker page at:

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: