Primary

Context

JupyterHub LTI Authenticator Unbounded Memory Growth Vulnerability Leading to Denial-of-Service

Vulnerability

A denial-of-service vulnerability has been identified in the JupyterHub LTI Authenticator, specifically in versions through 1.6.2. The issue arises because the LTI 1.1 validator improperly manages OAuth nonces, storing them in a class-level dictionary that can grow indefinitely. Nonces are added before validating signatures, allowing an attacker with a valid consumer key to send multiple requests with unique nonces. This behavior can gradually deplete server memory, causing a denial-of-service condition.

Impact

Exploitation of this vulnerability leads to unbounded memory consumption on the server, causing a denial-of-service condition where the server becomes unresponsive or unavailable.

Remediation

Users can upgrade to JupyterHub LTI Authenticator version 1.6.3 to address this vulnerability.

Added: Apr 3, 2026, 11:27 PM

Updated: Apr 3, 2026, 11:27 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.8

remediation

0.0

relevance

5.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

JupyterHub LTI Authenticator Unbounded Memory Growth Vulnerability Leading to Denial-of-Service

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating