CVE-2025-32428: 
Python vulnerability analysis and mitigation

Jupyter Remote Desktop Proxy, a tool that enables running Linux Desktop environments on JupyterHub, contains a critical security vulnerability (CVE-2025-32428) discovered in April 2025. The vulnerability affects version 3.0.0 when used with TigerVNC, where the VNC server remains accessible via the network despite being configured to use UNIX sockets for user-level isolation. This issue was assigned a CVSSv4 score of 9.0 (Critical) (NVD, SecurityOnline).

The vulnerability stems from a configuration issue where jupyter-remote-desktop-proxy version 3.0.0, when used with TigerVNC as the VNC server executable, inadvertently exposes VNC services over the network instead of limiting access to local UNIX sockets. The system was designed to rely exclusively on UNIX domain sockets for communication to provide user-level isolation, but TigerVNC opens a TCP network port, bypassing the intended security measures. Notably, this vulnerability does not affect systems using TurboVNC, which correctly honors the UNIX socket configuration (GitHub Advisory).

In shared environments such as universities or cloud-hosted Jupyter platforms, this vulnerability could allow attackers on the same network to connect to and interact with another user's Linux desktop session without proper authentication. This access could potentially lead to unauthorized data access, session hijacking, or privilege abuse (SecurityOnline).

The vulnerability has been patched in jupyter-remote-desktop-proxy version 3.0.1. Users are strongly advised to upgrade to this version. Alternatively, users can switch to TurboVNC as their VNC server executable, as it is not affected by this vulnerability (NVD, GitHub Advisory).