AI Threat Alert

CVE-2023-25574: JupyterHub LTI13: JWT forgery enables full auth bypass

GHSA-mcgx-2gcr-p3hp CRITICAL CISA: TRACK*
Published February 25, 2025
CISO Take

Any JupyterHub instance running ltiauthenticator 1.3.0 with LTI 1.3 enabled is fully compromised — no credentials needed, attacker can impersonate any existing user or create new ones. Upgrade to 1.4.0 immediately; there are no workarounds. Audit your ML notebook infrastructure for this exact version before end of day.

What is the risk?

CVSS 10.0 with network-accessible, zero-privilege, zero-interaction exploitation. Scope change confirmed (C:H/I:H/A:H). EPSS 0.00234 suggests limited active exploitation to date, but the attack is trivially repeatable once disclosed — any attacker who can reach the LTI endpoint can forge arbitrary user sessions. Risk is especially elevated in shared JupyterHub environments (universities, enterprise ML platforms, MLOps pipelines) where lateral movement through notebook access yields significant data and compute exposure.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Jupyter pip = 1.3.0 1.4.0
13.2K OpenSSF 5.8 1.9K dependents Pushed 4d ago 79% patched ~9d to patch Full package profile →

Do you use Jupyter? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 24% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade jupyterhub-ltiauthenticator to 1.4.0 immediately (pip install --upgrade jupyterhub-ltiauthenticator).

  2. DETECT

    Check deployed version with pip show jupyterhub-ltiauthenticator.

  3. SCOPE

    Confirm whether LTI13Authenticator is configured as the active authenticator class in jupyterhub_config.py — if not, you are not affected.

  4. AUDIT

    Review JupyterHub access logs for anomalous login patterns (unexpected usernames, new user account creation, off-hours access) going back to when 1.3.0 was deployed.

  5. ROTATE

    If exploitation is suspected, invalidate all active sessions and rotate any secrets or credentials accessible from notebook environments. No workarounds exist; patching is the only remediation.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Framework AML.T0012 AML.T0049 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.9.3 - Access Control to AI Systems
NIST AI RMF
GOVERN 6.1 - Policies and procedures are in place for organizational risk tolerance MANAGE 2.2 - Mechanisms are in place to respond to risks identified in AI systems
OWASP LLM Top 10
LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2023-25574?

Any JupyterHub instance running ltiauthenticator 1.3.0 with LTI 1.3 enabled is fully compromised — no credentials needed, attacker can impersonate any existing user or create new ones. Upgrade to 1.4.0 immediately; there are no workarounds. Audit your ML notebook infrastructure for this exact version before end of day.

Is CVE-2023-25574 actively exploited?

No confirmed active exploitation of CVE-2023-25574 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25574?

1. PATCH: Upgrade jupyterhub-ltiauthenticator to 1.4.0 immediately (pip install --upgrade jupyterhub-ltiauthenticator). 2. DETECT: Check deployed version with `pip show jupyterhub-ltiauthenticator`. 3. SCOPE: Confirm whether LTI13Authenticator is configured as the active authenticator class in jupyterhub_config.py — if not, you are not affected. 4. AUDIT: Review JupyterHub access logs for anomalous login patterns (unexpected usernames, new user account creation, off-hours access) going back to when 1.3.0 was deployed. 5. ROTATE: If exploitation is suspected, invalidate all active sessions and rotate any secrets or credentials accessible from notebook environments. No workarounds exist; patching is the only remediation.

What systems are affected by CVE-2023-25574?

This vulnerability affects the following AI/ML architecture patterns: ML notebooks, training pipelines, data science platforms, MLOps infrastructure, multi-tenant AI development environments.

What is the CVSS score for CVE-2023-25574?

CVE-2023-25574 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.33%.

What is the AI security impact?

Affected AI Architectures

ML notebookstraining pipelinesdata science platformsMLOps infrastructuremulti-tenant AI development environments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0049 Exploit Public-Facing Application
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.9.3
NIST AI RMF: GOVERN 6.1, MANAGE 2.2
OWASP LLM Top 10: LLM08:2025

What are the technical details?

Original Advisory

### Impact Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are influenced. LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities. ### Patches None. ### Workarounds None. ### References - [This code segment](https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164) didn't validate a JWT signature.

Exploitation Scenario

Attacker identifies a JupyterHub instance via passive recon (Shodan, GitHub config leaks, or organizational documentation). They observe the /hub/lti13/oauth_callback endpoint is active, confirming LTI 1.3 is enabled. Using a standard JWT library, they craft a token claiming to be any target user (administrator, data scientist, or a new account) and submit it directly to the LTI callback without a valid signature. The unpatched validator accepts the token at lines 122–164 of validator.py without verifying the signature against the registered LTI platform's public key. The attacker now has a fully authenticated JupyterHub session — from here they exfiltrate training data, inject malicious code into notebooks, harvest cloud credentials from environment variables, or pivot to connected ML infrastructure.

Weaknesses (CWE)

CWE-347 Improper Verification of Cryptographic Signature Primary

CWE-347 — Improper Verification of Cryptographic Signature: The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References

Timeline

Published
February 25, 2025
Last Modified
February 25, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-44180 9.8

Jupyter Enterprise Gateway: root privilege bypass in Kubernetes

Same package: jupyter
HIGH CVE-2026-42266 8.8

JupyterLab: Extension allow-list bypass enables privesc

Same package: jupyter
HIGH CVE-2026-5422 8.1

jupyter-server: path traversal exposes sibling dir files

Same package: jupyter
HIGH CVE-2025-30370 7.4

jupyterlab-git: command injection via malicious repo name

Same package: jupyter
HIGH CVE-2025-30167 7.3

jupyter_core: config hijack enables cross-user code exec

Same package: jupyter
Back to Threat Feed