CVE-2018-25378: Notebook Pro: DoS via oversized notebook name input
MEDIUM PoC AVAILABLE CISA: TRACK*Notebook Pro 2.0 crashes when a local user or attacker pastes a string of 500 or more characters into the New Notebook Name field, a classic uncontrolled memory allocation flaw (CWE-789). The attack vector is strictly local with no confidentiality or integrity impact (CVSS:3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), which significantly limits blast radius — this is not remotely exploitable and presents minimal risk to networked AI infrastructure. There is no CISA KEV listing, no EPSS data, and no evidence of in-the-wild exploitation; the Exploit-DB entry (EDB-45420, published 2018) is a proof-of-concept demonstrating the crash is trivially reproducible by any local user. Teams using Notebook Pro 2.0 for AI development workflows should upgrade to a patched version if available and treat this as a low-priority maintenance item; the primary risk scenario is shared workstations or social engineering via malicious notebook files.
What is the risk?
Low risk overall. The local attack vector and availability-only impact constrain the threat surface to insider scenarios or physical access situations. No active exploitation is recorded in CISA KEV, no EPSS scoring is available, and no downstream AI packages or networked infrastructure are affected. Risk is marginally elevated in shared data science workstation environments or where notebook files are exchanged from untrusted parties, but remains well below the threshold requiring urgent remediation.
How does the attack unfold?
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Update Notebook Pro to the latest available version and verify vendor release notes address CWE-789 input length validation.
-
If no patch exists, enforce a policy against opening notebook files received from untrusted or external sources.
-
Implement file-sharing controls that restrict notebook file exchange within AI development teams to verified internal repositories.
-
Enable autosave features where available to minimise data loss from unexpected crashes.
-
Monitor endpoint crash telemetry on data science workstations for repeated Notebook Pro termination events as a potential indicator of targeted abuse.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2018-25378?
Notebook Pro 2.0 crashes when a local user or attacker pastes a string of 500 or more characters into the New Notebook Name field, a classic uncontrolled memory allocation flaw (CWE-789). The attack vector is strictly local with no confidentiality or integrity impact (CVSS:3.1 AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), which significantly limits blast radius — this is not remotely exploitable and presents minimal risk to networked AI infrastructure. There is no CISA KEV listing, no EPSS data, and no evidence of in-the-wild exploitation; the Exploit-DB entry (EDB-45420, published 2018) is a proof-of-concept demonstrating the crash is trivially reproducible by any local user. Teams using Notebook Pro 2.0 for AI development workflows should upgrade to a patched version if available and treat this as a low-priority maintenance item; the primary risk scenario is shared workstations or social engineering via malicious notebook files.
Is CVE-2018-25378 actively exploited?
Proof-of-concept exploit code is publicly available for CVE-2018-25378, increasing the risk of exploitation.
How to fix CVE-2018-25378?
1. Update Notebook Pro to the latest available version and verify vendor release notes address CWE-789 input length validation. 2. If no patch exists, enforce a policy against opening notebook files received from untrusted or external sources. 3. Implement file-sharing controls that restrict notebook file exchange within AI development teams to verified internal repositories. 4. Enable autosave features where available to minimise data loss from unexpected crashes. 5. Monitor endpoint crash telemetry on data science workstations for repeated Notebook Pro termination events as a potential indicator of targeted abuse.
What systems are affected by CVE-2018-25378?
This vulnerability affects the following AI/ML architecture patterns: AI development environments, notebook-based ML workflows, local data science workstations.
What is the CVSS score for CVE-2018-25378?
CVE-2018-25378 has a CVSS v3.1 base score of 6.2 (MEDIUM). The EPSS exploitation probability is 0.14%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0011 User Execution AML.T0048.003 User Harm Compliance Controls Affected
What are the technical details?
Original Advisory
Notebook Pro 2.0 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the notebook name field. Attackers can create a malicious text file containing 500 or more characters, paste the content into the New Notebook Name field, and trigger an application crash when attempting to create and save the notebook.
Exploitation Scenario
An insider or attacker with local workstation access creates a text file containing 500+ characters and pastes the content into the New Notebook Name field of Notebook Pro 2.0. Alternatively, a socially engineered victim is sent a malicious notebook file with instructions to rename it via the application UI. On attempting to create and save the notebook, the application crashes due to unbounded memory allocation. In a targeted operation against an AI development team during a critical sprint, this could be used as a low-sophistication distraction attack — crashing the tool repeatedly to disrupt productivity, destroy unsaved experiment notes, or create a pretext for gaining further access while the victim troubleshoots the crash.
Weaknesses (CWE)
CWE-789 — Memory Allocation with Excessive Size Value: The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
- [Implementation, Architecture and Design] Perform adequate input validation against any value that influences the amount of memory that is allocated. Define an appropriate strategy for handling requests that exceed the limit, and consider supporting a configuration option so that the administrator can extend the amount of memory to be used if necessary.
- [Operation] Run your program using system-provided resource limits for memory. This might still cause the program to crash or exit, but the impact to the rest of the system will be minimized.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H References
Timeline
Related Vulnerabilities
CVE-2026-33660 10.0 TensorFlow: type confusion NPD in tensor conversion
Same attack type: DoS CVE-2023-25668 9.8 TensorFlow: unauthenticated RCE via heap buffer overflow
Same attack type: DoS CVE-2022-23587 9.8 TensorFlow: integer overflow in Grappler enables RCE
Same attack type: DoS CVE-2022-35939 9.8 TensorFlow: ScatterNd OOB write enables RCE/crash
Same attack type: DoS CVE-2022-41900 9.8 TensorFlow: heap OOB RCE in FractionalMaxPool op
Same attack type: DoS