9

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-32428

GHSA ID

GHSA-vrq4-9hc3-cgp7

EPSS Score

0.04726%

CWE

CWE-668

Published

4/12/2025

Updated

4/15/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-32428

CVE-2025-32428:
TigerVNC accessible via the network and not just via a UNIX socket as intended

Summary

jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network.

This vulnerability does not affect users having TurboVNC as the vncserver executable.

Credits

This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.

(GitHub Advisory)

9

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-32428

GHSA ID

GHSA-vrq4-9hc3-cgp7

EPSS Score

0.04726%

CWE

CWE-668

Published

4/12/2025

Updated

4/15/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jupyter-remote-desktop-proxy	pip	= 3.0.0	3.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in how jupyter-remote-desktop-proxy configured TigerVNC. The provided commit 7dd54c25a4253badd8ea68895437e5a66a59090d directly addresses this by modifying the setup_websockify function in jupyter_remote_desktop_proxy/setup_websockify.py. This function prepares the arguments for launching the VNC server. The patch introduces a check to identify if the VNC server is TigerVNC (by checking for the absence of 'turbovnc' in its script content) and adds the -rfbport -1 argument. This argument explicitly tells TigerVNC not to open a TCP port. The absence of this argument in the vulnerable version (3.0.0) for TigerVNC is the root cause of the vulnerability, making the setup_websockify function the direct location where the vulnerable configuration was applied.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry `jupyt*r-r*mot*-**sktop-proxy` w*s m**nt to r*ly on UNIX so*k*ts r*****l* only *y t** *urr*nt us*r sin** v*rsion *.*.*, *ut w**n us** wit* Ti**rVN*, t** VN* s*rv*r st*rt** *y `jupyt*r-r*mot*-**sktop-proxy` w*r* still ****ssi*l* vi* t** n*

Reasoning

T** vuln*r**ility li*s in *ow `jupyt*r-r*mot*-**sktop-proxy` *on*i*ur** Ti**rVN*. T** provi*** *ommit `****************************************` *ir**tly ***r*ss*s t*is *y mo*i*yin* t** `s*tup_w**so*ki*y` *un*tion in `jupyt*r_r*mot*_**sktop_proxy/s*t

9

Basic Information

Concerned about an active attack path?

CVE-2025-32428: TigerVNC accessible via the network and not just via a UNIX socket as intended

Summary

Credits

9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-32428:
TigerVNC accessible via the network and not just via a UNIX socket as intended

Vulnerability Intelligence
Miggo AI