CVE-2023-25574

CVE-2023-25574 is a critical vulnerability in the `jupyterhub-ltiauthenticator` package, a JupyterHub authenticator for Learning Tools Interoperability (LTI). Specifically, the LTI13Authenticator class, introduced in version 1.3.0, fails to validate JSON Web Token (JWT) signatures (CWE-347), potentially allowing forged authentication requests. This issue affects only JupyterHub installations explicitly configured to use the `LTI13Authenticator` class. The vulnerability carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating maximum severity due to its remote, unauthenticated nature and potential for complete system compromise.

Any network-accessible attacker without privileges can exploit this by crafting a forged JWT request that bypasses authentication, tricking the LTI13Authenticator into granting unauthorized access to the JupyterHub instance. Successful exploitation could enable full control over the affected system, including high confidentiality, integrity, and availability impacts, such as spawning user sessions, accessing notebooks, or executing arbitrary code in a shared environment.

The GitHub security advisory (GHSA-mcgx-2gcr-p3hp) and changelog confirm that version 1.4.0 of `jupyterhub-ltiauthenticator` addresses the issue by removing the LTI13Authenticator entirely. No workarounds are available, and affected users must upgrade immediately. Relevant code showing the validation flaw is documented in the project's validator.py file.

JupyterHub's role in collaborative notebook environments, often used in educational and data science contexts, amplifies the risk in LTI-integrated deployments, though no real-world exploitation has been reported.