CVE-2021-39160: nbgitpuller RCE — HIGH

Q: Is CVE-2021-39160 actively exploited?

No confirmed active exploitation of CVE-2021-39160 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2021-39160?

1. Patch: Upgrade nbgitpuller to 0.10.2 on all JupyterHub instances. 2. If upgrade is not immediately feasible, downgrade to 0.8.x as the only available workaround. 3. Disable or remove nbgitpuller if the feature is not actively used. 4. Audit JupyterHub access logs for unexpected git clone activity or unusual URL patterns in nbgitpuller requests. 5. Apply network egress controls on Jupyter servers to limit lateral movement. 6. Rotate any secrets or credentials accessible from affected Jupyter environments as a precaution.

Q: What systems are affected by CVE-2021-39160?

This vulnerability affects the following AI/ML architecture patterns: Jupyter notebook environments, ML training platforms, Collaborative AI development platforms, JupyterHub multi-user deployments.

Q: What is the CVSS score for CVE-2021-39160?

CVE-2021-39160 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.73%.

CISO Take

nbgitpuller, a JupyterHub extension widely deployed in AI/ML research and data science platforms, allows unauthenticated remote code execution when a user clicks a crafted link. Jupyter environments typically hold training data, model artifacts, API keys, and cloud credentials — making this a high-value pivot point. Upgrade to 0.10.2 immediately; there are no workarounds for versions 0.9.0–0.10.1 other than downgrade to 0.8.x.

What is the risk?

High risk for organizations running JupyterHub-based ML platforms. CVSS 8.8 reflects network accessibility, no authentication required, and full confidentiality/integrity/availability impact. The low EPSS (0.83%) suggests limited active exploitation, but the attack is trivial to execute — a single link click by any data scientist or ML engineer is sufficient. Blast radius is amplified by the privileged access Jupyter servers typically have to model registries, cloud storage, and CI/CD pipelines.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
nbgitpuller	pip	>= 0.9.0, <= 0.10.1	`0.10.2`

Do you use nbgitpuller? You're affected.

How severe is it?

CVSS 3.1

8.8 / 10

EPSS

1.7%

chance of exploitation in 30 days

Higher than 75% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

6 steps

Patch: Upgrade nbgitpuller to 0.10.2 on all JupyterHub instances.
If upgrade is not immediately feasible, downgrade to 0.8.x as the only available workaround.
Disable or remove nbgitpuller if the feature is not actively used.
Audit JupyterHub access logs for unexpected git clone activity or unusual URL patterns in nbgitpuller requests.
Apply network egress controls on Jupyter servers to limit lateral movement.
Rotate any secrets or credentials accessible from affected Jupyter environments as a precaution.

How is it classified?

Code Execution Supply Chain Framework Training Data AML.T0010.001 - AI Software AML.T0011.003 - Malicious Link AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System for High-Risk AI

ISO 42001

A.6.2.5 - Security of AI system components and dependencies

NIST AI RMF

GOVERN 1.7 - Processes for vulnerability disclosure and response MANAGE 2.4 - Residual risks and organizational risk tolerance

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2021-39160?

nbgitpuller, a JupyterHub extension widely deployed in AI/ML research and data science platforms, allows unauthenticated remote code execution when a user clicks a crafted link. Jupyter environments typically hold training data, model artifacts, API keys, and cloud credentials — making this a high-value pivot point. Upgrade to 0.10.2 immediately; there are no workarounds for versions 0.9.0–0.10.1 other than downgrade to 0.8.x.

Is CVE-2021-39160 actively exploited?

No confirmed active exploitation of CVE-2021-39160 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-39160?

1. Patch: Upgrade nbgitpuller to 0.10.2 on all JupyterHub instances. 2. If upgrade is not immediately feasible, downgrade to 0.8.x as the only available workaround. 3. Disable or remove nbgitpuller if the feature is not actively used. 4. Audit JupyterHub access logs for unexpected git clone activity or unusual URL patterns in nbgitpuller requests. 5. Apply network egress controls on Jupyter servers to limit lateral movement. 6. Rotate any secrets or credentials accessible from affected Jupyter environments as a precaution.

What systems are affected by CVE-2021-39160?

This vulnerability affects the following AI/ML architecture patterns: Jupyter notebook environments, ML training platforms, Collaborative AI development platforms, JupyterHub multi-user deployments.

What is the CVSS score for CVE-2021-39160?

CVE-2021-39160 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 1.73%.

What is the AI security impact?

Affected AI Architectures

Jupyter notebook environmentsML training platformsCollaborative AI development platformsJupyterHub multi-user deployments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0011.003 Malicious Link

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2.5

NIST AI RMF: GOVERN 1.7, MANAGE 2.4

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

### Impact Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. ### Patches 0.10.2 ### Workarounds None, other than upgrade to 0.10.2 or downgrade to 0.8.x. ### For more information If you have any questions or comments about this advisory: * Open an issue in [nbgitpuller](https://github.com/jupyterhub/nbgitpuller/issues) * Email our security team at [security@ipython.org](mailto:security@ipython.org)

Exploitation Scenario

An attacker targets a data science team using JupyterHub with nbgitpuller enabled. They craft a malicious nbgitpuller URL embedding OS commands in an unsanitized parameter (e.g., a repository URL or branch name containing shell metacharacters). The URL is delivered via a phishing email disguised as a shared notebook or dataset link — a common workflow in ML teams. When the victim clicks the link while authenticated to JupyterHub, nbgitpuller processes the unsanitized input and executes the injected commands in the notebook server's OS context. The attacker gains RCE, exfiltrates cloud credentials from environment variables, and pivots to the organization's model registry or S3 training data buckets.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.