CVE-2023-25574
Published: 25 February 2025
Summary
CVE-2023-25574 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Jupyter Lti Jupyterhub Authenticator. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 41.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of flaws such as the missing JWT signature validation in jupyterhub-ltiauthenticator version 1.3.0 by patching to 1.4.0.
Vulnerability scanning and monitoring identifies the CVE-2023-25574 flaw in deployed jupyterhub-ltiauthenticator instances for prompt remediation.
Ensures authenticators like JWTs employed by LTI13Authenticator have sufficient strength of mechanism, including cryptographic signature validation.
NVD Description
`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub…
more
installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
Deeper analysisAI
CVE-2023-25574 is a critical vulnerability in the `jupyterhub-ltiauthenticator` package, a JupyterHub authenticator for Learning Tools Interoperability (LTI). Specifically, the LTI13Authenticator class, introduced in version 1.3.0, fails to validate JSON Web Token (JWT) signatures (CWE-347), potentially allowing forged authentication requests. This issue affects only JupyterHub installations explicitly configured to use the `LTI13Authenticator` class. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its remote, unauthenticated nature and potential for complete system compromise.
Any network-accessible attacker without privileges can exploit this by crafting a forged JWT request that bypasses authentication, tricking the LTI13Authenticator into granting unauthorized access to the JupyterHub instance. Successful exploitation could enable full control over the affected system, including high confidentiality, integrity, and availability impacts, such as spawning user sessions, accessing notebooks, or executing arbitrary code in a shared environment.
The GitHub security advisory (GHSA-mcgx-2gcr-p3hp) and changelog confirm that version 1.4.0 of `jupyterhub-ltiauthenticator` addresses the issue by removing the LTI13Authenticator entirely. No workarounds are available, and affected users must upgrade immediately. Relevant code showing the validation flaw is documented in the project's validator.py file.
JupyterHub's role in collaborative notebook environments, often used in educational and data science contexts, amplifies the risk in LTI-integrated deployments, though no real-world exploitation has been reported.
Details
- CWE(s)