CVE-2021-41134 — HIGH (CVSS 8.7) AI Security Vulnerability

Q: Is CVE-2021-41134 actively exploited?

No confirmed active exploitation of CVE-2021-41134 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2021-41134?

1) Patch immediately: Python nbdime → 1.1.1 / 2.1.1 / 3.1.1; npm nbdime → 5.0.2 / 6.1.2; nbdime-jupyterlab → 1.0.1 / 2.1.1. 2) Until patched, restrict nbdime to isolated single-user environments only — no shared JupyterHub usage. 3) Audit shared Jupyter instances for notebooks ingested from untrusted sources (external contributors, public repos). 4) Enforce Content Security Policy headers on all Jupyter web interfaces. 5) Detect: monitor for unexpected outbound requests from Jupyter server processes or unusual session token usage following notebook diff operations.

Q: What systems are affected by CVE-2021-41134?

This vulnerability affects the following AI/ML architecture patterns: ML development environments, Jupyter notebook infrastructure, Data science collaboration platforms, CI/CD pipelines with notebook diffing.

Q: What is the CVSS score for CVE-2021-41134?

CVE-2021-41134 has a CVSS v3.1 base score of 8.7 (HIGH). The EPSS exploitation probability is 0.34%.

CISO Take

nbdime, the standard tool for diffing and reviewing Jupyter notebook changes in ML workflows, has a stored XSS enabling session hijacking in shared data science environments. The scope-changed CVSS 8.7 reflects real risk in multi-user JupyterHub deployments where notebook diffs are reviewed collaboratively. Patch all instances immediately — every version prior to 1.1.1/2.1.1/3.1.1 (Python) and 5.0.2/6.1.2 (npm) is vulnerable.

Risk Assessment

High risk for organizations running shared Jupyter infrastructure. CVSS Scope:Changed means a low-privileged attacker can compromise other users' sessions — a significant privilege escalation in ML environments. EPSS of 0.34% indicates limited active exploitation to date, but Jupyter environments routinely contain sensitive assets: model artifacts, training data, and hardcoded API keys in notebooks. Unpatched shared JupyterHub instances represent a persistent threat to ML pipeline integrity.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
nbdime	npm	< 5.0.2	`5.0.2`
nbdime	pip	< 1.1.1	`1.1.1`
nbdime-jupyterlab	npm	< 1.0.1	`1.0.1`

Severity & Risk

CVSS 3.1

8.7 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 57% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR Low

UI Required

S Changed

C High

I High

A None

Recommended Action

1 step

1) Patch immediately: Python nbdime → 1.1.1 / 2.1.1 / 3.1.1; npm nbdime → 5.0.2 / 6.1.2; nbdime-jupyterlab → 1.0.1 / 2.1.1. 2) Until patched, restrict nbdime to isolated single-user environments only — no shared JupyterHub usage. 3) Audit shared Jupyter instances for notebooks ingested from untrusted sources (external contributors, public repos). 4) Enforce Content Security Policy headers on all Jupyter web interfaces. 5) Detect: monitor for unexpected outbound requests from Jupyter server processes or unusual session token usage following notebook diff operations.

Classification

Code Execution Data Extraction Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Information security in AI system development

NIST AI RMF

GOVERN-6.1 - AI risk management policies include supply chain and third-party considerations

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2021-41134?

nbdime, the standard tool for diffing and reviewing Jupyter notebook changes in ML workflows, has a stored XSS enabling session hijacking in shared data science environments. The scope-changed CVSS 8.7 reflects real risk in multi-user JupyterHub deployments where notebook diffs are reviewed collaboratively. Patch all instances immediately — every version prior to 1.1.1/2.1.1/3.1.1 (Python) and 5.0.2/6.1.2 (npm) is vulnerable.

Is CVE-2021-41134 actively exploited?

No confirmed active exploitation of CVE-2021-41134 has been reported, but organizations should still patch proactively.

How to fix CVE-2021-41134?

1) Patch immediately: Python nbdime → 1.1.1 / 2.1.1 / 3.1.1; npm nbdime → 5.0.2 / 6.1.2; nbdime-jupyterlab → 1.0.1 / 2.1.1. 2) Until patched, restrict nbdime to isolated single-user environments only — no shared JupyterHub usage. 3) Audit shared Jupyter instances for notebooks ingested from untrusted sources (external contributors, public repos). 4) Enforce Content Security Policy headers on all Jupyter web interfaces. 5) Detect: monitor for unexpected outbound requests from Jupyter server processes or unusual session token usage following notebook diff operations.

What systems are affected by CVE-2021-41134?

This vulnerability affects the following AI/ML architecture patterns: ML development environments, Jupyter notebook infrastructure, Data science collaboration platforms, CI/CD pipelines with notebook diffing.

What is the CVSS score for CVE-2021-41134?

CVE-2021-41134 has a CVSS v3.1 base score of 8.7 (HIGH). The EPSS exploitation probability is 0.34%.

Technical Details

NVD Description

### Impact Improper handling of user controlled input caused a stored cross-site scripting (XSS) vulnerability. All previous versions of nbdime are affected. ### Patches Security patches will be released for each of the major versions of the nbdime packages since version 1.x of the nbdime python package. #### Python - nbdime 1.x: Patched in v. 1.1.1 - nbdime 2.x: Patched in v. 2.1.1 - nbdime 3.x: Patched in v. 3.1.1 #### npm - nbdime 6.x version: Patched in 6.1.2 - nbdime 5.x version: Patched in 5.0.2 - nbdime-jupyterlab 1.x version: Patched in 1.0.1 - nbdime-jupyterlab 2.x version: Patched in 2.1.1 ### For more information If you have any questions or comments about this advisory email us at [security@ipython.org](mailto:security@ipython.org).

Exploitation Scenario

An adversary with low-privileged access to a shared JupyterHub instance crafts a notebook with an XSS payload in cell output or notebook metadata. When a data scientist or ML engineer uses nbdime to review changes — a routine step in collaborative ML workflows or CI notebook validation — the payload executes in the reviewer's browser. The attacker captures the Jupyter session cookie and pivots to access the full Jupyter environment: training datasets, model artifacts, pipeline credentials, and any cloud provider keys stored in notebooks.