AI Threat Alert AI Threat Alert

CVE-2025-23205: nbgrader: Clickjacking exposes formgrader via IFrame

GHSA-fcr8-4r9f-r66m HIGH
Published January 17, 2025
CISO Take

JupyterHub deployments running nbgrader 0.9.4 with default settings allow any authenticated user to exfiltrate formgrader content—grades, ML submissions, research notebooks—by tricking a privileged user into visiting a malicious page on the same origin. Patch to nbgrader 0.9.5 immediately. If patching is delayed, disable frame-ancestors: self in JupyterHub CSP or enable per-subdomain isolation (JupyterHub.enable_subdomains=True).

Risk Assessment

Moderate risk for academic and enterprise ML/AI platforms running JupyterHub with nbgrader. Exploitation requires a valid JupyterHub account plus successful social engineering to deliver a malicious link to a formgrader-privileged user, limiting opportunistic mass exploitation. However, formgrader content can include proprietary ML code, research datasets, and student PII. EPSS of 0.277% and no CISA KEV listing indicate no active exploitation in the wild at this time.

Affected Systems

Package Ecosystem Vulnerable Range Patched
nbgrader pip = 0.9.4 0.9.5

Do you use nbgrader? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.3%
chance of exploitation in 30 days
Higher than 51% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

Recommended Action

5 steps

  1. PATCH

    Upgrade nbgrader to 0.9.5 — the patched version reverts the frame-ancestors: self header change.

  2. WORKAROUND A

    Explicitly disable frame-ancestors: self in JupyterHub Content Security Policy configuration.

  3. WORKAROUND B

    Set JupyterHub.enable_subdomains=True to enforce per-user origin isolation, preventing cross-frame DOM access even if IFrame embedding is allowed.

  4. VERIFY

    Inspect live CSP headers (curl -I or browser DevTools > Network > Response Headers) to confirm frame-ancestors policy before and after remediation.

  5. HARDEN

    Restrict formgrader access to the minimum required users via JupyterHub role/group configuration to reduce the attack surface.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Social Engineering Auth Bypass Framework AML.T0011.003 AML.T0012 AML.T0036 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - AI System Security Controls
NIST AI RMF
MANAGE-2.4 - Residual Risk Treatment

Frequently Asked Questions

What is CVE-2025-23205?

JupyterHub deployments running nbgrader 0.9.4 with default settings allow any authenticated user to exfiltrate formgrader content—grades, ML submissions, research notebooks—by tricking a privileged user into visiting a malicious page on the same origin. Patch to nbgrader 0.9.5 immediately. If patching is delayed, disable frame-ancestors: self in JupyterHub CSP or enable per-subdomain isolation (JupyterHub.enable_subdomains=True).

Is CVE-2025-23205 actively exploited?

No confirmed active exploitation of CVE-2025-23205 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-23205?

1. PATCH: Upgrade nbgrader to 0.9.5 — the patched version reverts the frame-ancestors: self header change. 2. WORKAROUND A: Explicitly disable frame-ancestors: self in JupyterHub Content Security Policy configuration. 3. WORKAROUND B: Set JupyterHub.enable_subdomains=True to enforce per-user origin isolation, preventing cross-frame DOM access even if IFrame embedding is allowed. 4. VERIFY: Inspect live CSP headers (curl -I or browser DevTools > Network > Response Headers) to confirm frame-ancestors policy before and after remediation. 5. HARDEN: Restrict formgrader access to the minimum required users via JupyterHub role/group configuration to reduce the attack surface.

What systems are affected by CVE-2025-23205?

This vulnerability affects the following AI/ML architecture patterns: Jupyter notebook platforms, AI/ML training environments, academic ML platforms, data science workspaces.

What is the CVSS score for CVE-2025-23205?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Impact Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has _full access_ to the contents of the page served by formgrader using Bob's credentials. ### Workarounds - Disable `frame-ancestors: self`, or - enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame). ### References JupyterHub documentation on why and when `frame-ancestors: self` is insecure, and why it was disabled by default: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors

Exploitation Scenario

On a corporate ML research platform or university AI course environment: Attacker Alice, a regular JupyterHub user without formgrader access, creates a malicious HTML page hosted on the same JupyterHub origin. The page silently embeds the formgrader URL in a hidden IFrame and runs JavaScript that polls the IFrame's contentDocument for loaded DOM content. Alice crafts a convincing pretext (e.g., 'check this notebook I shared with you') and sends the link to Bob, a TA or instructor with formgrader access. When Bob clicks the link, his authenticated session transparently loads formgrader inside the IFrame. Because Alice's page and the IFrame share the same origin, her JavaScript reads the full formgrader DOM—extracting student names, grades, submitted ML code, and dataset references—and POSTs everything to an attacker-controlled endpoint. Bob sees nothing unusual; the malicious page can display a decoy notebook to reduce suspicion.

Weaknesses (CWE)

CWE-1021 Improper Restriction of Rendered UI Layers or Frames Primary CWE-668 Exposure of Resource to Wrong Sphere Primary

References

Timeline

Published
January 17, 2025
Last Modified
January 17, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed