CVE-2024-28179 – Jupyter Server Proxy versions before 3.2.3 and ... (How to Fix)

Q: What is the severity of CVE-2024-28179?

CVE-2024-28179 has a CVSS score of 9.0 (CRITICAL). Jupyter Server Proxy versions before 3.2.3 and 4.1.1 fail to properly authenticate websocket connections, allowing unauthenticated network access to proxied websocket endpoints. This can lead to remote arbitrary code execution when websockets are used for command execution. Anyone running vulnerable Jupyter Server Proxy instances with websocket-enabled services is affected.

📋 TL;DR

Jupyter Server Proxy versions before 3.2.3 and 4.1.1 fail to properly authenticate websocket connections, allowing unauthenticated network access to proxied websocket endpoints. This can lead to remote arbitrary code execution when websockets are used for command execution. Anyone running vulnerable Jupyter Server Proxy instances with websocket-enabled services is affected.

💻 Affected Systems

Products:

Jupyter Server Proxy

Versions: All versions before 3.2.3 and 4.1.1

Operating Systems: All platforms running Jupyter Server Proxy

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances using websocket proxying. Jupyter Server's own websocket endpoints are not affected. Projects without websocket usage are not affected.

📦 What is this software?

Jupyter Server Proxy by Jupyter

View all CVEs affecting Jupyter Server Proxy →

Jupyter Server Proxy by Jupyter

View all CVEs affecting Jupyter Server Proxy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote unauthenticated attackers gain arbitrary code execution on the Jupyter server host, potentially leading to full system compromise, data theft, and lateral movement.

🟠

Likely Case

Unauthenticated access to backend services via websockets, enabling command execution, data exfiltration, or service disruption depending on what websocket endpoints are exposed.

🟢

If Mitigated

If proper network segmentation and authentication controls exist, impact is limited to unauthorized access to specific websocket services without escalation.

🌐 Internet-Facing: HIGH - Internet-facing instances are directly exploitable by any attacker without authentication.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems can exploit this without authentication, but requires network access to the Jupyter endpoint.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of websocket endpoints but is straightforward once endpoints are identified. The vulnerability is in authentication bypass, not a complex memory corruption issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.3 or 4.1.1

Vendor Advisory: https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v

Restart Required: Yes

Instructions:

1. Update Jupyter Server Proxy using pip: 'pip install --upgrade jupyter-server-proxy>=3.2.3' or 'pip install --upgrade jupyter-server-proxy>=4.1.1'. 2. Restart the Jupyter server. 3. Verify the update with 'pip show jupyter-server-proxy'.

🔧 Temporary Workarounds

Disable websocket proxying

all

If websocket functionality is not required, disable websocket proxying entirely

Configure Jupyter Server Proxy to not proxy websocket connections by modifying server configuration

Network access restrictions

linux

Restrict network access to Jupyter server endpoints using firewall rules

iptables -A INPUT -p tcp --dport <jupyter-port> -s <trusted-networks> -j ACCEPT
iptables -A INPUT -p tcp --dport <jupyter-port> -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate Jupyter servers from untrusted networks
Deploy a reverse proxy with proper authentication in front of Jupyter Server Proxy

🔍 How to Verify

Check if Vulnerable:

Check Jupyter Server Proxy version: 'pip show jupyter-server-proxy | grep Version'. If version is below 3.2.3 or 4.1.1, the system is vulnerable.

Check Version:

pip show jupyter-server-proxy | grep Version

Verify Fix Applied:

After patching, verify version is 3.2.3 or higher (for 3.x) or 4.1.1 or higher (for 4.x). Test websocket connections require authentication.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated websocket connection attempts
Websocket connections without corresponding authentication logs
Unexpected process execution from Jupyter context

Network Indicators:

Websocket traffic to Jupyter server without preceding authentication handshake
Unusual websocket patterns to non-standard ports

SIEM Query:

source="jupyter" AND (websocket OR ws://) AND NOT (authenticated OR auth_success)

📊 Metadata

CVE ID: CVE-2024-28179

CVSS v3 Score: 9.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-306

Published: March 20, 2024

Last Updated: February 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-28179, you might also want to check these: