CVE-2023-25574 — CRITICAL (CVSS 10.0) AI Security Vulnerability

CISO Take

Any JupyterHub instance running ltiauthenticator 1.3.0 with LTI 1.3 enabled is fully compromised — no credentials needed, attacker can impersonate any existing user or create new ones. Upgrade to 1.4.0 immediately; there are no workarounds. Audit your ML notebook infrastructure for this exact version before end of day.

Risk Assessment

CVSS 10.0 with network-accessible, zero-privilege, zero-interaction exploitation. Scope change confirmed (C:H/I:H/A:H). EPSS 0.00234 suggests limited active exploitation to date, but the attack is trivially repeatable once disclosed — any attacker who can reach the LTI endpoint can forge arbitrary user sessions. Risk is especially elevated in shared JupyterHub environments (universities, enterprise ML platforms, MLOps pipelines) where lateral movement through notebook access yields significant data and compute exposure.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
jupyterhub-ltiauthenticator	pip	= 1.3.0	`1.4.0`

Do you use jupyterhub-ltiauthenticator? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 59% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

Recommended Action

5 steps

PATCH

Upgrade jupyterhub-ltiauthenticator to 1.4.0 immediately (pip install --upgrade jupyterhub-ltiauthenticator).
DETECT

Check deployed version with pip show jupyterhub-ltiauthenticator.
SCOPE

Confirm whether LTI13Authenticator is configured as the active authenticator class in jupyterhub_config.py — if not, you are not affected.
AUDIT

Review JupyterHub access logs for anomalous login patterns (unexpected usernames, new user account creation, off-hours access) going back to when 1.3.0 was deployed.
ROTATE

If exploitation is suspected, invalidate all active sessions and rotate any secrets or credentials accessible from notebook environments. No workarounds exist; patching is the only remediation.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Framework AML.T0012 - Valid Accounts AML.T0049 - Exploit Public-Facing Application AML.T0106 - Exploitation for Credential Access

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.9.3 - Access Control to AI Systems

NIST AI RMF

GOVERN 6.1 - Policies and procedures are in place for organizational risk tolerance MANAGE 2.2 - Mechanisms are in place to respond to risks identified in AI systems

OWASP LLM Top 10

LLM08:2025 - Vector and Embedding Weaknesses

Frequently Asked Questions

What is CVE-2023-25574?

Any JupyterHub instance running ltiauthenticator 1.3.0 with LTI 1.3 enabled is fully compromised — no credentials needed, attacker can impersonate any existing user or create new ones. Upgrade to 1.4.0 immediately; there are no workarounds. Audit your ML notebook infrastructure for this exact version before end of day.

Is CVE-2023-25574 actively exploited?

No confirmed active exploitation of CVE-2023-25574 has been reported, but organizations should still patch proactively.

How to fix CVE-2023-25574?

1. PATCH: Upgrade jupyterhub-ltiauthenticator to 1.4.0 immediately (pip install --upgrade jupyterhub-ltiauthenticator). 2. DETECT: Check deployed version with `pip show jupyterhub-ltiauthenticator`. 3. SCOPE: Confirm whether LTI13Authenticator is configured as the active authenticator class in jupyterhub_config.py — if not, you are not affected. 4. AUDIT: Review JupyterHub access logs for anomalous login patterns (unexpected usernames, new user account creation, off-hours access) going back to when 1.3.0 was deployed. 5. ROTATE: If exploitation is suspected, invalidate all active sessions and rotate any secrets or credentials accessible from notebook environments. No workarounds exist; patching is the only remediation.

What systems are affected by CVE-2023-25574?

This vulnerability affects the following AI/ML architecture patterns: ML notebooks, training pipelines, data science platforms, MLOps infrastructure, multi-tenant AI development environments.

What is the CVSS score for CVE-2023-25574?

CVE-2023-25574 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.37%.

Technical Details

NVD Description

### Impact Only users that has configured a JupyterHub installation to use the authenticator class `LTI13Authenticator` are influenced. LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request granting access to existing and new user identities. ### Patches None. ### Workarounds None. ### References - [This code segment](https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164) didn't validate a JWT signature.

Exploitation Scenario

Attacker identifies a JupyterHub instance via passive recon (Shodan, GitHub config leaks, or organizational documentation). They observe the /hub/lti13/oauth_callback endpoint is active, confirming LTI 1.3 is enabled. Using a standard JWT library, they craft a token claiming to be any target user (administrator, data scientist, or a new account) and submit it directly to the LTI callback without a valid signature. The unpatched validator accepts the token at lines 122–164 of validator.py without verifying the signature against the registered LTI platform's public key. The attacker now has a fully authenticated JupyterHub session — from here they exfiltrate training data, inject malicious code into notebooks, harvest cloud credentials from environment variables, or pivot to connected ML infrastructure.