CVE-2025-32428

Advisory

Jupyter-remote-desktop-proxy was meant to rely on UNIX sockets readable only by the current user since version 3.0.0, but when used with TigerVNC, the VNC server started by jupyter-remote-desktop-proxy was still accessible via the network.
#NOTE: This vulnerability does not affect users having TurboVNC as the vncserver executable.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This is a security release for [GHSA-vrq4-9hc3-cgp7] impacting users of this
project together with TigerVNC.

[ghsa-vrq4-9hc3-cgp7]: https://github.com/jupyterhub/jupyter-remote-desktop-proxy/security/advisories/GHSA-vrq4-9hc3-cgp7

Bugs fixed

- Ensure TigerVNC isn't accessible via the network [151](https://github.com/jupyterhub/jupyter-remote-desktop-proxy/pull/151) ([consideRatio](https://github.com/consideRatio), [minrk](https://github.com/minrk))

Other merged PRs

This changelog entry omits automated PRs, for example those updating
dependencies in: images, github actions, pre-commit hooks. For a full list of
changes, see the [full comparison](https://github.com/jupyterhub/jupyter-remote-desktop-proxy/compare/v2.0.1...v3.0.0).

Resources

• https://github.com/jupyterhub/jupyter-remote-desktop-proxy/security/advisories/GHSA-vrq4-9hc3-cgp7
• https://pypi.org/project/jupyter-remote-desktop-proxy
• https://data.safetycli.com/changelogs/jupyter-remote-desktop-proxy/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32428