Login Sign Up

CVE-2021-39160

9.6 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-39160 is a critical vulnerability in nbgitpuller, a Jupyter server extension for syncing git repositories. Due to unsanitized input in crafted links, attackers can execute arbitrary code in the user's environment. All users of nbgitpuller versions before 0.10.2 are affected.

💻 Affected Systems

Products:
  • nbgitpuller
Versions: All versions < 0.10.2
Operating Systems: All platforms running nbgitpuller
Default Config Vulnerable: ⚠️ Yes
Notes: Any Jupyter environment with nbgitpuller extension enabled is vulnerable. The vulnerability is in the link handling mechanism.

📦 What is this software?

Nbgitpuller by Jupyterhub

View all CVEs affecting Nbgitpuller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Jupyter environment allowing attackers to execute arbitrary commands, access sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, unauthorized access to Jupyter notebooks, and potential lateral movement within the environment.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH - Attackers can exploit via malicious links without authentication if the Jupyter server is internet-accessible.
🏢 Internal Only: HIGH - Even internally, malicious links could be distributed via phishing or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires users to click malicious links. The advisory includes technical details that could be used to create exploits.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.10.2

Vendor Advisory: https://github.com/jupyterhub/nbgitpuller/security/advisories/GHSA-mq5p-2mcr-m52j

Restart Required: Yes

Instructions:

1. Stop Jupyter server. 2. Run: pip install --upgrade nbgitpuller==0.10.2. 3. Restart Jupyter server. 4. Verify the fix by checking the version.

🔧 Temporary Workarounds

Disable nbgitpuller extension

all

Temporarily disable the nbgitpuller extension until patching is possible

jupyter serverextension disable nbgitpuller

🧯 If You Can't Patch

  • Implement strict network controls to prevent access to Jupyter servers from untrusted networks
  • Educate users about the risks of clicking unknown links in the Jupyter environment

🔍 How to Verify

Check if Vulnerable:

Check nbgitpuller version: pip show nbgitpuller | grep Version

Check Version:

pip show nbgitpuller | grep Version

Verify Fix Applied:

Verify version is 0.10.2 or higher: pip show nbgitpuller | grep Version

📡 Detection & Monitoring

Log Indicators:

  • Unusual git operations via nbgitpuller
  • Suspicious URL parameters in Jupyter access logs
  • Unexpected process execution from Jupyter context

Network Indicators:

  • Unusual outbound connections from Jupyter servers
  • Git operations to unknown repositories

SIEM Query:

source="jupyter" AND (url="*nbgitpuller*" AND url="*;*" OR url="*|*" OR url="*`*" OR url="*$(*")

📊 Metadata

CVE ID: CVE-2021-39160
CVSS v3 Score: 9.6 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-94
Published: August 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-39160, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)