AVID-2026-R0884

Description

Code injection in nbgitpuller (CVE-2021-39160)

Details

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.

Reason for inclusion in AVID: CVE-2021-39160 describes a code injection vulnerability in nbgitpuller, a Jupyter server extension that can be used in AI/ML workflows to fetch code from Git repositories. The flaw arises from unsanitized input and can lead to arbitrary code execution in the user environment, which is a security vulnerability with high impact. nbgitpuller is a software component commonly used in AI development/deployment stacks (Jupyter-based workflows, notebooks, and CI/CD within AI labs), thus it is part of the software supply chain for general-purpose AI systems. The advisory includes remediation (upgrade to 0.10.2) and CVSS 3.1 score (9.6), providing sufficient evidence of the vulnerability and its impact.

References

• NVD entry
• https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j
• https://github.com/jupyterhub/nbgitpuller/commit/07690644f29a566011dd0d7ba14cae3eb0490481
• https://github.com/jupyterhub/nbgitpuller/blob/main/CHANGELOG.md#0102—2021-08-25

Affected or Relevant Artifacts

• Developer: jupyterhub
• Deployer: jupyterhub
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2021-08-25
• Version: 0.3.3
• AVID Entry