CVE-2025-32428 CRITICAL

CVE-2025-32428: Jupyter Remote Desktop Proxy makes TigerVNC accessible via the network and not just via a UNIX socket as intended

Vendor Jupyterhub
Product jupyter-remote-desktop-proxy
Weakness CWE-668
Published April 14, 2025
Last update April 15, 2025

CVSS base score

9.0/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Jupyter Remote Desktop Proxy allows you to run a Linux Desktop on a JupyterHub. jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network. This vulnerability does not affect users having TurboVNC as the vncserver executable. This issue is fixed in 3.0.1.

Key dates

02Disclosure timeline

April 14, 2025 CVE published
April 15, 2025 Record updated