Fluid Attacks Database

Description

TigerVNC accessible via the network and not just via a UNIX socket as intended

Summary

jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy were still accessible via the network.

This vulnerability does not affect users having TurboVNC as the vncserver executable.

Credits

This vulnerability was identified by Arne Gottwald at University of Göttingen and analyzed, reported, and reviewed by @frejanordsiek.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	jupyter-remote-desktop-proxy	=3.0.0 \|\| >=3.0.0 <3.0.1	3.0.1

Aliases

1. CVE-2025-324282. NVD-2025-324283. OSV-2025-324284. GHSA-vrq4-9hc3-cgp75. GCVE-2025-32428

References

1. https://github.com/jupyterhub/jupyter-remote-desktop-proxy/security/advisories/GHSA-vrq4-9hc3-cgp72. https://github.com/jupyterhub/jupyter-remote-desktop-proxy/commit/7dd54c25a4253badd8ea68895437e5a66a59090d

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.