AI Threat Alert AI Threat Alert

CVE-2025-32428: jupyter-remote-desktop-proxy: VNC network exposure

GHSA-vrq4-9hc3-cgp7 CRITICAL PoC AVAILABLE CISA: TRACK*
Published April 12, 2025
CISO Take

If your JupyterHub deployment runs jupyter-remote-desktop-proxy v3.0.0 with TigerVNC, remote desktop sessions are bound to network interfaces instead of UNIX sockets — any network-adjacent attacker can connect and take full visual control of active ML sessions. Upgrade to v3.0.1 immediately or switch to TurboVNC as an interim workaround. Audit VNC port exposure (5900+) across all JupyterHub nodes now.

Risk Assessment

Moderate-to-high risk in multi-user JupyterHub environments typical of academic institutions, research labs, and enterprise ML platforms. Exploitability is trivial — requires only network access and a VNC client. EPSS is low (0.00158), suggesting limited active exploitation in the wild, but the blast radius per affected node is severe: full desktop takeover of an active user session. Risk is amplified in shared GPU clusters where researchers run long training jobs with credentials and data pipelines open. Not in CISA KEV, and the 'critical' severity label overstates typical exposure, but organizations with internet-accessible JupyterHub instances should treat this as urgent.

Affected Systems

Package Ecosystem Vulnerable Range Patched
jupyter-remote-desktop-proxy pip = 3.0.0 3.0.1
13.1K OpenSSF 4.8 1.9K dependents Pushed 9d ago 69% patched ~0d to patch Full package profile →

Do you use jupyter-remote-desktop-proxy? You're affected.

Severity & Risk

CVSS 3.1
N/A
EPSS
0.2%
chance of exploitation in 30 days
Higher than 36% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

  1. PATCH (priority): Upgrade to jupyter-remote-desktop-proxy v3.0.1 — resolves the UNIX socket binding.

  2. WORKAROUND

    Replace TigerVNC with TurboVNC; vulnerability is TigerVNC-specific.

  3. AUDIT EXPOSURE

    Run ss -tlnp | grep 59 on all JupyterHub nodes to identify VNC ports bound to non-localhost interfaces.

  4. NETWORK CONTROLS

    Enforce firewall rules blocking VNC ports (5900-5910) from external access; VNC should never be directly network-accessible.

  5. DETECT

    Review TCP connection logs to VNC ports for unauthorized connections; check for unexpected VNC client processes.

  6. INVENTORY

    Identify all nodes running v3.0.0 via pip show jupyter-remote-desktop-proxy or your configuration management tool.

CISA SSVC Assessment

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Auth Bypass Data Leakage Privacy Violation Framework AML.T0006 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.2 - AI system resource management and network security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain treatment of AI risks over time
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-32428?

If your JupyterHub deployment runs jupyter-remote-desktop-proxy v3.0.0 with TigerVNC, remote desktop sessions are bound to network interfaces instead of UNIX sockets — any network-adjacent attacker can connect and take full visual control of active ML sessions. Upgrade to v3.0.1 immediately or switch to TurboVNC as an interim workaround. Audit VNC port exposure (5900+) across all JupyterHub nodes now.

Is CVE-2025-32428 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-32428, increasing the risk of exploitation.

How to fix CVE-2025-32428?

1. PATCH (priority): Upgrade to jupyter-remote-desktop-proxy v3.0.1 — resolves the UNIX socket binding. 2. WORKAROUND: Replace TigerVNC with TurboVNC; vulnerability is TigerVNC-specific. 3. AUDIT EXPOSURE: Run `ss -tlnp | grep 59` on all JupyterHub nodes to identify VNC ports bound to non-localhost interfaces. 4. NETWORK CONTROLS: Enforce firewall rules blocking VNC ports (5900-5910) from external access; VNC should never be directly network-accessible. 5. DETECT: Review TCP connection logs to VNC ports for unauthorized connections; check for unexpected VNC client processes. 6. INVENTORY: Identify all nodes running v3.0.0 via `pip show jupyter-remote-desktop-proxy` or your configuration management tool.

What systems are affected by CVE-2025-32428?

This vulnerability affects the following AI/ML architecture patterns: Jupyter/notebook environments, ML training pipelines, Multi-user AI development platforms, Research computing clusters, GPU workstation pools.

What is the CVSS score for CVE-2025-32428?

No CVSS score has been assigned yet.

Technical Details

NVD Description

## Summary `jupyter-remote-desktop-proxy` was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by `jupyter-remote-desktop-proxy` were still accessible via the network. This vulnerability does not affect users having TurboVNC as the `vncserver` executable. ## Credits This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.

Exploitation Scenario

An attacker with access to the same network segment as a JupyterHub deployment (internal user, compromised workstation, or exposed instance) scans for open VNC ports (5900+) on compute nodes. They discover jupyter-remote-desktop-proxy v3.0.0 with TigerVNC has bound the VNC server to a network interface. Using a standard VNC client — no specialized tooling required — they connect to an active session belonging to an ML engineer running a training job. The attacker observes the desktop: a terminal with an active AWS session, a Jupyter notebook with training code, and a file manager browsing model checkpoints. They screenshot credentials, copy model weights to an external server, and optionally take control of the mouse/keyboard to plant backdoors in training scripts or manipulate model outputs. The legitimate user sees nothing unusual — VNC sessions provide no built-in access notification.

Weaknesses (CWE)

CWE-668 Exposure of Resource to Wrong Sphere Primary

References

Timeline

Published
April 12, 2025
Last Modified
April 15, 2025
First Seen
March 24, 2026

Related Vulnerabilities

HIGH CVE-2026-42266 8.8

JupyterLab: Extension allow-list bypass enables privesc

Same package: jupyter
HIGH CVE-2026-35397 7.1

Jupyter Server: path traversal leaks sibling directories

Same package: jupyter
MEDIUM CVE-2026-40934 6.8

jupyter-server: auth cookie survives password reset

Same package: jupyter
MEDIUM CVE-2026-40864 5.4

JupyterHub: CSRF bypass on spawn and share endpoints

Same package: jupyter
HIGH CVE-2026-40110

Jupyter Server: CORS bypass via regex anchor omission

Same package: jupyter
Back to Threat Feed