AI Threat Alert
nbdime, the standard tool for diffing and reviewing Jupyter notebook changes in ML workflows, has a stored XSS enabling session hijacking in shared data science environments. The scope-changed CVSS 8.7 reflects real risk in multi-user JupyterHub deployments where notebook diffs are reviewed collaboratively. Patch all instances immediately — every version prior to 1.1.1/2.1.1/3.1.1 (Python) and 5.0.2/6.1.2 (npm) is vulnerable.
What is the risk?
High risk for organizations running shared Jupyter infrastructure. CVSS Scope:Changed means a low-privileged attacker can compromise other users' sessions — a significant privilege escalation in ML environments. EPSS of 0.34% indicates limited active exploitation to date, but Jupyter environments routinely contain sensitive assets: model artifacts, training data, and hardcoded API keys in notebooks. Unpatched shared JupyterHub instances represent a persistent threat to ML pipeline integrity.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| nbdime | npm | < 5.0.2 | 5.0.2 |
| nbdime | pip | < 1.1.1 | 1.1.1 |
| nbdime-jupyterlab | npm | < 1.0.1 | 1.0.1 |
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Patch immediately: Python nbdime → 1.1.1 / 2.1.1 / 3.1.1; npm nbdime → 5.0.2 / 6.1.2; nbdime-jupyterlab → 1.0.1 / 2.1.1. 2) Until patched, restrict nbdime to isolated single-user environments only — no shared JupyterHub usage. 3) Audit shared Jupyter instances for notebooks ingested from untrusted sources (external contributors, public repos). 4) Enforce Content Security Policy headers on all Jupyter web interfaces. 5) Detect: monitor for unexpected outbound requests from Jupyter server processes or unusual session token usage following notebook diff operations.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2021-41134?
nbdime, the standard tool for diffing and reviewing Jupyter notebook changes in ML workflows, has a stored XSS enabling session hijacking in shared data science environments. The scope-changed CVSS 8.7 reflects real risk in multi-user JupyterHub deployments where notebook diffs are reviewed collaboratively. Patch all instances immediately — every version prior to 1.1.1/2.1.1/3.1.1 (Python) and 5.0.2/6.1.2 (npm) is vulnerable.
Is CVE-2021-41134 actively exploited?
No confirmed active exploitation of CVE-2021-41134 has been reported, but organizations should still patch proactively.
How to fix CVE-2021-41134?
1) Patch immediately: Python nbdime → 1.1.1 / 2.1.1 / 3.1.1; npm nbdime → 5.0.2 / 6.1.2; nbdime-jupyterlab → 1.0.1 / 2.1.1. 2) Until patched, restrict nbdime to isolated single-user environments only — no shared JupyterHub usage. 3) Audit shared Jupyter instances for notebooks ingested from untrusted sources (external contributors, public repos). 4) Enforce Content Security Policy headers on all Jupyter web interfaces. 5) Detect: monitor for unexpected outbound requests from Jupyter server processes or unusual session token usage following notebook diff operations.
What systems are affected by CVE-2021-41134?
This vulnerability affects the following AI/ML architecture patterns: ML development environments, Jupyter notebook infrastructure, Data science collaboration platforms, CI/CD pipelines with notebook diffing.
What is the CVSS score for CVE-2021-41134?
CVE-2021-41134 has a CVSS v3.1 base score of 8.7 (HIGH). The EPSS exploitation probability is 0.68%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0011 User Execution AML.T0025 Exfiltration via Cyber Means AML.T0049 Exploit Public-Facing Application Compliance Controls Affected
What are the technical details?
Original Advisory
### Impact Improper handling of user controlled input caused a stored cross-site scripting (XSS) vulnerability. All previous versions of nbdime are affected. ### Patches Security patches will be released for each of the major versions of the nbdime packages since version 1.x of the nbdime python package. #### Python - nbdime 1.x: Patched in v. 1.1.1 - nbdime 2.x: Patched in v. 2.1.1 - nbdime 3.x: Patched in v. 3.1.1 #### npm - nbdime 6.x version: Patched in 6.1.2 - nbdime 5.x version: Patched in 5.0.2 - nbdime-jupyterlab 1.x version: Patched in 1.0.1 - nbdime-jupyterlab 2.x version: Patched in 2.1.1 ### For more information If you have any questions or comments about this advisory email us at [security@ipython.org](mailto:security@ipython.org).
Exploitation Scenario
An adversary with low-privileged access to a shared JupyterHub instance crafts a notebook with an XSS payload in cell output or notebook metadata. When a data scientist or ML engineer uses nbdime to review changes — a routine step in collaborative ML workflows or CI notebook validation — the payload executes in the reviewer's browser. The attacker captures the Jupyter session cookie and pivots to access the full Jupyter environment: training datasets, model artifacts, pipeline credentials, and any cloud provider keys stored in notebooks.
Weaknesses (CWE)
CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
- [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Extraction CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Code Execution