CVE-2025-23205: nbgrader Clickjacking exposes

CISO Take

JupyterHub deployments running nbgrader 0.9.4 with default settings allow any authenticated user to exfiltrate formgrader content—grades, ML submissions, research notebooks—by tricking a privileged user into visiting a malicious page on the same origin. Patch to nbgrader 0.9.5 immediately. If patching is delayed, disable frame-ancestors: self in JupyterHub CSP or enable per-subdomain isolation (JupyterHub.enable_subdomains=True).

What is the risk?

Moderate risk for academic and enterprise ML/AI platforms running JupyterHub with nbgrader. Exploitation requires a valid JupyterHub account plus successful social engineering to deliver a malicious link to a formgrader-privileged user, limiting opportunistic mass exploitation. However, formgrader content can include proprietary ML code, research datasets, and student PII. EPSS of 0.277% and no CISA KEV listing indicate no active exploitation in the wild at this time.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
nbgrader	pip	= 0.9.4	`0.9.5`

Do you use nbgrader? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

0.5%

chance of exploitation in 30 days

Higher than 36% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

5 steps

PATCH

Upgrade nbgrader to 0.9.5 — the patched version reverts the frame-ancestors: self header change.
WORKAROUND A

Explicitly disable frame-ancestors: self in JupyterHub Content Security Policy configuration.
WORKAROUND B

Set JupyterHub.enable_subdomains=True to enforce per-user origin isolation, preventing cross-frame DOM access even if IFrame embedding is allowed.
VERIFY

Inspect live CSP headers (curl -I or browser DevTools > Network > Response Headers) to confirm frame-ancestors policy before and after remediation.
HARDEN

Restrict formgrader access to the minimum required users via JupyterHub role/group configuration to reduce the attack surface.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Social Engineering Auth Bypass Framework AML.T0011.003 - Malicious Link AML.T0012 - Valid Accounts AML.T0036 - Data from Information Repositories AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.3 - AI System Security Controls

NIST AI RMF

MANAGE-2.4 - Residual Risk Treatment

Frequently Asked Questions

What is CVE-2025-23205?

JupyterHub deployments running nbgrader 0.9.4 with default settings allow any authenticated user to exfiltrate formgrader content—grades, ML submissions, research notebooks—by tricking a privileged user into visiting a malicious page on the same origin. Patch to nbgrader 0.9.5 immediately. If patching is delayed, disable frame-ancestors: self in JupyterHub CSP or enable per-subdomain isolation (JupyterHub.enable_subdomains=True).

Is CVE-2025-23205 actively exploited?

No confirmed active exploitation of CVE-2025-23205 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-23205?

1. PATCH: Upgrade nbgrader to 0.9.5 — the patched version reverts the frame-ancestors: self header change. 2. WORKAROUND A: Explicitly disable frame-ancestors: self in JupyterHub Content Security Policy configuration. 3. WORKAROUND B: Set JupyterHub.enable_subdomains=True to enforce per-user origin isolation, preventing cross-frame DOM access even if IFrame embedding is allowed. 4. VERIFY: Inspect live CSP headers (curl -I or browser DevTools > Network > Response Headers) to confirm frame-ancestors policy before and after remediation. 5. HARDEN: Restrict formgrader access to the minimum required users via JupyterHub role/group configuration to reduce the attack surface.

What systems are affected by CVE-2025-23205?

This vulnerability affects the following AI/ML architecture patterns: Jupyter notebook platforms, AI/ML training environments, academic ML platforms, data science workspaces.

What is the CVSS score for CVE-2025-23205?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Jupyter notebook platformsAI/ML training environmentsacademic ML platformsdata science workspaces

MITRE ATLAS Techniques

AML.T0011.003 Malicious Link

AML.T0012 Valid Accounts

AML.T0036 Data from Information Repositories

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.9.3

NIST AI RMF: MANAGE-2.4

What are the technical details?

Original Advisory

### Impact Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of `enable_subdomains = False`. #1915 disables a protection which would allow user Alice to craft a page embedding formgrader in an IFrame. If Bob visits that page, his credentials will be sent and the formgrader page loaded. Because Alice's page is on the same Origin as the formgrader iframe, Javasript on Alice's page has _full access_ to the contents of the page served by formgrader using Bob's credentials. ### Workarounds - Disable `frame-ancestors: self`, or - enable per-user and per-service subdomains with `JupyterHub.enable_subdomains = True` (then even if embedding in an IFrame is allowed, the host page does not have access to the contents of the frame). ### References JupyterHub documentation on why and when `frame-ancestors: self` is insecure, and why it was disabled by default: https://jupyterhub.readthedocs.io/en/stable/explanation/websecurity.html#:~:text=frame-ancestors

Exploitation Scenario

On a corporate ML research platform or university AI course environment: Attacker Alice, a regular JupyterHub user without formgrader access, creates a malicious HTML page hosted on the same JupyterHub origin. The page silently embeds the formgrader URL in a hidden IFrame and runs JavaScript that polls the IFrame's contentDocument for loaded DOM content. Alice crafts a convincing pretext (e.g., 'check this notebook I shared with you') and sends the link to Bob, a TA or instructor with formgrader access. When Bob clicks the link, his authenticated session transparently loads formgrader inside the IFrame. Because Alice's page and the IFrame share the same origin, her JavaScript reads the full formgrader DOM—extracting student names, grades, submitted ML code, and dataset references—and POSTs everything to an attacker-controlled endpoint. Bob sees nothing unusual; the malicious page can display a decoy notebook to reduce suspicion.

Weaknesses (CWE)

CWE-1021 Improper Restriction of Rendered UI Layers or Frames Primary CWE-668 Exposure of Resource to Wrong Sphere Primary

CWE-1021 — Improper Restriction of Rendered UI Layers or Frames: The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain.

[Implementation] The use of X-Frame-Options allows developers of web content to restrict the usage of their application within the form of overlays, frames, or iFrames. The developer can indicate from which domains can frame the content. The concept of X-Frame-Options is well documented, but implementation of this protection mechanism is in development to cover gaps. There is a need for allowing frames from multiple domains.
[Implementation] A developer can use a "frame-breaker" script in each page that should not be framed. This is very helpful for legacy browsers that do not support X-Frame-Options security feature previously mentioned. It is also important to note that this tactic has been circumvented or bypassed. Improper usage of frames can persist in the web application through nested frames. The "frame-breaking" script does not intuitively account for multiple nested frames that can be presented to the user.

Source: MITRE CWE corpus.