CVE-2023-25574
Published: 25 February 2025
Summary
CVE-2023-25574 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Jupyter Lti Jupyterhub Authenticator. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2023-25574 is a critical vulnerability in the `jupyterhub-ltiauthenticator` package, a JupyterHub authenticator for Learning Tools Interoperability (LTI). Specifically, the LTI13Authenticator class, introduced in version 1.3.0, fails to validate JSON Web Token (JWT) signatures (CWE-347), potentially allowing forged authentication requests. This issue affects only JupyterHub installations explicitly configured to use the `LTI13Authenticator` class. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its remote, unauthenticated nature and potential for complete system compromise.
Any network-accessible attacker without privileges can exploit this by crafting a forged JWT request that bypasses authentication, tricking the LTI13Authenticator into granting unauthorized access to the JupyterHub instance. Successful exploitation could enable full control over the affected system, including high confidentiality, integrity, and availability impacts, such as spawning user sessions, accessing notebooks, or executing arbitrary code in a shared environment.
The GitHub security advisory (GHSA-mcgx-2gcr-p3hp) and changelog confirm that version 1.4.0 of `jupyterhub-ltiauthenticator` addresses the issue by removing the LTI13Authenticator entirely. No workarounds are available, and affected users must upgrade immediately. Relevant code showing the validation flaw is documented in the project's validator.py file.
JupyterHub's role in collaborative notebook environments, often used in educational and data science contexts, amplifies the risk in LTI-integrated deployments, though no real-world exploitation has been reported.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-29521
Vulnerability details
`jupyterhub-ltiauthenticator` is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in `jupyterhub-ltiauthenticator` 1.3.0 wasn't validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub…
more
installation to use the authenticator class `LTI13Authenticator` are affected. `jupyterhub-ltiauthenticator` version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is an unauthenticated JWT signature validation flaw in a public-facing LTI authenticator, directly enabling remote attackers to bypass auth and gain initial access to JupyterHub (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of flaws such as the missing JWT signature validation in jupyterhub-ltiauthenticator version 1.3.0 by patching to 1.4.0.
Vulnerability scanning and monitoring identifies the CVE-2023-25574 flaw in deployed jupyterhub-ltiauthenticator instances for prompt remediation.
Ensures authenticators like JWTs employed by LTI13Authenticator have sufficient strength of mechanism, including cryptographic signature validation.