logo

Database

Improper resource allocation In jupyterhub-ltiauthenticator

Description

LTI JupyterHub Authenticator: Unbounded Memory Growth via Nonce Storage (Denial of Service)

Summary

The LTI 1.1 validator stores OAuth nonces in a class-level dictionary that grows without bounds. Nonces are added before signature validation, so an attacker with knowledge of a valid consumer key can send repeated requests with unique nonces to gradually exhaust server memory, causing a denial of service.

Patches

    upgrade jupyterhub-litauthenticator to 1.6.3

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-340522. NVD-2026-340523. OSV-2026-340524. GHSA-8mxq-7xr7-2fxj5. GCVE-2026-34052

References

1. https://github.com/jupyterhub/ltiauthenticator/security/advisories/GHSA-8mxq-7xr7-2fxj2. https://github.com/jupyterhub/ltiauthenticator/releases/tag/1.6.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.