GHSA-vrq4-9hc3-cgp7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vrq4-9hc3-cgp7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/04/GHSA-vrq4-9hc3-cgp7/GHSA-vrq4-9hc3-cgp7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vrq4-9hc3-cgp7
- Aliases
- Published
- 2025-04-12T03:42:31Z
- Modified
- 2025-04-15T12:49:04Z
- Severity
-
- 9.0 (Critical) CVSS_V4 - CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H CVSS Calculator
- Summary
- TigerVNC accessible via the network and not just via a UNIX socket as intended
- Details
-
Summary
jupyter-remote-desktop-proxywas meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started byjupyter-remote-desktop-proxywere still accessible via the network.This vulnerability does not affect users having TurboVNC as the
vncserverexecutable.Credits
This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.
- Database specific
{ "severity": "CRITICAL", "github_reviewed": true, "cwe_ids": [ "CWE-668" ], "nvd_published_at": "2025-04-15T00:15:14Z", "github_reviewed_at": "2025-04-12T03:42:31Z" }- References
-
- https://github.com/jupyterhub/jupyter-remote-desktop-proxy/security/advisories/GHSA-vrq4-9hc3-cgp7
- https://nvd.nist.gov/vuln/detail/CVE-2025-32428
- https://github.com/jupyterhub/jupyter-remote-desktop-proxy/commit/7dd54c25a4253badd8ea68895437e5a66a59090d
- https://github.com/jupyterhub/jupyter-remote-desktop-proxy
Affected packages
PyPI / jupyter-remote-desktop-proxy
Package
- Name
- jupyter-remote-desktop-proxy
- View open source insights on deps.dev
- Purl
- pkg:pypi/jupyter-remote-desktop-proxy