AI Threat Alert

CVE-2025-32428: jupyter-remote-desktop-proxy: VNC network exposure

GHSA-vrq4-9hc3-cgp7 CRITICAL PoC AVAILABLE CISA: TRACK*
Published April 12, 2025
CISO Take

If your JupyterHub deployment runs jupyter-remote-desktop-proxy v3.0.0 with TigerVNC, remote desktop sessions are bound to network interfaces instead of UNIX sockets — any network-adjacent attacker can connect and take full visual control of active ML sessions. Upgrade to v3.0.1 immediately or switch to TurboVNC as an interim workaround. Audit VNC port exposure (5900+) across all JupyterHub nodes now.

What is the risk?

Moderate-to-high risk in multi-user JupyterHub environments typical of academic institutions, research labs, and enterprise ML platforms. Exploitability is trivial — requires only network access and a VNC client. EPSS is low (0.00158), suggesting limited active exploitation in the wild, but the blast radius per affected node is severe: full desktop takeover of an active user session. Risk is amplified in shared GPU clusters where researchers run long training jobs with credentials and data pipelines open. Not in CISA KEV, and the 'critical' severity label overstates typical exposure, but organizations with internet-accessible JupyterHub instances should treat this as urgent.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Jupyter pip = 3.0.0 3.0.1
13.2K OpenSSF 5.8 1.9K dependents Pushed 4d ago 79% patched ~9d to patch Full package profile →

Do you use Jupyter? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.8%
chance of exploitation in 30 days
Higher than 52% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

6 steps

  1. PATCH (priority): Upgrade to jupyter-remote-desktop-proxy v3.0.1 — resolves the UNIX socket binding.

  2. WORKAROUND

    Replace TigerVNC with TurboVNC; vulnerability is TigerVNC-specific.

  3. AUDIT EXPOSURE

    Run ss -tlnp | grep 59 on all JupyterHub nodes to identify VNC ports bound to non-localhost interfaces.

  4. NETWORK CONTROLS

    Enforce firewall rules blocking VNC ports (5900-5910) from external access; VNC should never be directly network-accessible.

  5. DETECT

    Review TCP connection logs to VNC ports for unauthorized connections; check for unexpected VNC client processes.

  6. INVENTORY

    Identify all nodes running v3.0.0 via pip show jupyter-remote-desktop-proxy or your configuration management tool.

What does CISA's SSVC say?

Decision Track*
Exploitation none
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass Data Leakage Privacy Violation Framework AML.T0006 AML.T0025 AML.T0035 AML.T0037 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 9 - Risk Management System
ISO 42001
A.6.2 - AI system resource management and network security
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain treatment of AI risks over time
OWASP LLM Top 10
LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-32428?

If your JupyterHub deployment runs jupyter-remote-desktop-proxy v3.0.0 with TigerVNC, remote desktop sessions are bound to network interfaces instead of UNIX sockets — any network-adjacent attacker can connect and take full visual control of active ML sessions. Upgrade to v3.0.1 immediately or switch to TurboVNC as an interim workaround. Audit VNC port exposure (5900+) across all JupyterHub nodes now.

Is CVE-2025-32428 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-32428, increasing the risk of exploitation.

How to fix CVE-2025-32428?

1. PATCH (priority): Upgrade to jupyter-remote-desktop-proxy v3.0.1 — resolves the UNIX socket binding. 2. WORKAROUND: Replace TigerVNC with TurboVNC; vulnerability is TigerVNC-specific. 3. AUDIT EXPOSURE: Run `ss -tlnp | grep 59` on all JupyterHub nodes to identify VNC ports bound to non-localhost interfaces. 4. NETWORK CONTROLS: Enforce firewall rules blocking VNC ports (5900-5910) from external access; VNC should never be directly network-accessible. 5. DETECT: Review TCP connection logs to VNC ports for unauthorized connections; check for unexpected VNC client processes. 6. INVENTORY: Identify all nodes running v3.0.0 via `pip show jupyter-remote-desktop-proxy` or your configuration management tool.

What systems are affected by CVE-2025-32428?

This vulnerability affects the following AI/ML architecture patterns: Jupyter/notebook environments, ML training pipelines, Multi-user AI development platforms, Research computing clusters, GPU workstation pools.

What is the CVSS score for CVE-2025-32428?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

Jupyter/notebook environmentsML training pipelinesMulti-user AI development platformsResearch computing clustersGPU workstation pools

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0037 Data from Local System
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 9
ISO 42001: A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03

What are the technical details?

Original Advisory

## Summary `jupyter-remote-desktop-proxy` was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by `jupyter-remote-desktop-proxy` were still accessible via the network. This vulnerability does not affect users having TurboVNC as the `vncserver` executable. ## Credits This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.

Exploitation Scenario

An attacker with access to the same network segment as a JupyterHub deployment (internal user, compromised workstation, or exposed instance) scans for open VNC ports (5900+) on compute nodes. They discover jupyter-remote-desktop-proxy v3.0.0 with TigerVNC has bound the VNC server to a network interface. Using a standard VNC client — no specialized tooling required — they connect to an active session belonging to an ML engineer running a training job. The attacker observes the desktop: a terminal with an active AWS session, a Jupyter notebook with training code, and a file manager browsing model checkpoints. They screenshot credentials, copy model weights to an external server, and optionally take control of the mouse/keyboard to plant backdoors in training scripts or manipulate model outputs. The legitimate user sees nothing unusual — VNC sessions provide no built-in access notification.

Weaknesses (CWE)

CWE-668 Exposure of Resource to Wrong Sphere Primary

CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Source: MITRE CWE corpus.

References

Timeline

Published
April 12, 2025
Last Modified
April 15, 2025
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2023-25574 10.0

JupyterHub LTI13: JWT forgery enables full auth bypass

Same package: jupyter
CRITICAL CVE-2026-44180 9.8

Jupyter Enterprise Gateway: root privilege bypass in Kubernetes

Same package: jupyter
HIGH CVE-2026-42266 8.8

JupyterLab: Extension allow-list bypass enables privesc

Same package: jupyter
HIGH CVE-2026-5422 8.1

jupyter-server: path traversal exposes sibling dir files

Same package: jupyter
HIGH CVE-2025-30370 7.4

jupyterlab-git: command injection via malicious repo name

Same package: jupyter
Back to Threat Feed