PT-2025-7886 · Unknown · Jupyterhub Oauthenticator

Consideratio

Published

2025-02-25

Updated

2025-03-03

CVE-2023-25574

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions jupyterhub-ltiauthenticator versions 1.3.0 through 1.3.x

Description The issue concerns the LTI13Authenticator in jupyterhub-ltiauthenticator, which failed to validate JWT signatures, potentially allowing forged requests to be authorized. This affects JupyterHub installations configured to use the LTI13Authenticator class.

Recommendations For versions 1.3.0 through 1.3.x, update to version 1.4.0, which removes the LTI13Authenticator to address the issue. As a temporary workaround, consider disabling the LTI13Authenticator class until the issue is resolved.

Exploit

Fix

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-347

Related Identifiers

BDU:2026-00153

CVE-2023-25574

GHSA-MCGX-2GCR-P3HP

PYSEC-2025-120

Affected Products

Jupyterhub Oauthenticator

PT-2025-7886 · Unknown · Jupyterhub Oauthenticator

CVE-2023-25574

Weakness Enumeration

Related Identifiers

Affected Products

References · 17