AVID-2026-R1191

Description

JupyterHub’s LTI13Authenticator: JWT signature not validated (CVE-2023-25574)

Details

jupyterhub-ltiauthenticator is a JupyterHub authenticator for learning tools interoperability (LTI). LTI13Authenticator that was introduced in jupyterhub-ltiauthenticator 1.3.0 wasn’t validating JWT signatures. This is believed to allow the LTI13Authenticator to authorize a forged request. Only users that has configured a JupyterHub installation to use the authenticator class LTI13Authenticator are affected. jupyterhub-ltiauthenticator version 1.4.0 removes LTI13Authenticator to address the issue. No known workarounds are available.

Reason for inclusion in AVID: The CVE describes a critical vulnerability in jupyterhub-ltiauthenticator’s LTI13Authenticator, a component used in JupyterHub deployments to run AI/ML notebook environments. It concerns improper JWT signature verification, enabling forged requests with potential compromise of notebooks and data. This affects a software component in the AI software stack (dependencies/runtimes used to build/run general-purpose AI systems), is a security vulnerability, and the report provides explicit signal (CVE id, affected versions, remediation). Therefore it should be kept for AVID curation.

References

• NVD entry
• https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-mcgx-2gcr-p3hp
• https://github.com/jupyterhub/ltiauthenticator/blob/3feec2e81b9d3b0ad6b58ab4226af640833039f3/ltiauthenticator/lti13/validator.py#L122-L164
• https://github.com/jupyterhub/ltiauthenticator/blob/main/CHANGELOG.md#140—2023-03-01

Affected or Relevant Artifacts

• Developer: jupyterhub
• Deployer: jupyterhub
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-02-25
• Version: 0.3.3
• AVID Entry