CVE-2025-32428: Jupyter Remote Desktop Proxy Exposes TigerVNC to Network Access

Researchers have uncovered a critical security flaw in Jupyter Remote Desktop Proxy, a widely used Jupyter extension that allows users to run graphical desktop environments like XFCE within a Jupyter notebook interface. Tracked as CVE-2025-32428 and assigned a CVSSv4 score of 9.0, the vulnerability arises when the extension is used with TigerVNC, inadvertently exposing VNC services over the network—contrary to its intended design.

The VNC server started by jupyter-remote-desktop-proxy was still accessible via the network, even though the system was configured to use UNIX sockets accessible only to the current user, the report states.

The jupyter-remote-desktop-proxy extension enables users to launch and interact with a full Linux desktop environment directly inside their browser. It uses VNC over a secure proxy to render a desktop interface within the Jupyter environment.

Originally, starting with version 3.0.0, the extension was supposed to rely exclusively on UNIX domain sockets for communication—providing user-level isolation and preventing unauthorized external access.

The problem occurs specifically when TigerVNC is used as the vncserver executable. Instead of limiting access to local sockets, TigerVNC opens a TCP network port, unintentionally allowing external users on the same network to connect to the VNC session without proper authentication or isolation.

This flaw does not affect systems using TurboVNC, which honors the UNIX socket configuration as expected.

“This vulnerability does not affect users having TurboVNC as the vncserver executable,” the advisory clarifies.

Systems are at risk if:

• They run jupyter-remote-desktop-proxy v3.0.0
• The backend VNC server is TigerVNC
• Network isolation or firewall rules are misconfigured or permissive

In shared environments (e.g., universities, cloud-hosted Jupyter platforms), an attacker could remotely access or interact with another user’s Linux desktop session, potentially leading to data exfiltration, privilege abuse, or session hijacking.

The vulnerability is patched in jupyter-remote-desktop-proxy version 3.0.1.

Related Posts:

• Cryptominers Exploit Exposed Jupyter Notebooks in Novel Campaign
• New Sobolan Malware Campaign Targets Jupyter Notebooks and Cloud-Native Environments
• VmWare fix two high-risk arbitrary code execution vulnerabilities in several products
• CVE-2024-42458 (CVSS 9.8) – New Security Vulnerability in Neat VNC: Urgent Patch Released

About The Author

Ddos

Ddos is a seasoned news reporter, bringing over a decade of expertise to the forefront of cyber security and technology reporting. My work provides timely and insightful analysis of emerging trends and critical developments in these rapidly evolving sectors.

See author's posts