The LTI JupyterHub Authenticator implements LTI 1.1 authentication and stores OAuth nonces in a class‑level dictionary. Each incoming request adds a nonce before signature validation, and the dictionary is never cleared. As a result, an attacker with knowledge of a valid consumer key can repeatedly issue requests using new nonces, causing the dictionary to grow without bounds and exhausting server memory. Once memory limits are reached the JupyterHub service will become unresponsive, effectively denying access to all users.

JupyterHub developers ship the LTI Authenticator as the "ltiauthenticator" package. Versions prior to 1.6.3 are affected; any deployment using an earlier release with the same nonce handling logic is vulnerable. The patch was released with version 1.6.3, so systems running that or newer versions are not susceptible.

The CVSS score of 5.9 reflects a moderate severity. EPSS indicates a shooting‑star probability of less than 1 percent, and the vulnerability is not listed in the KEV catalog, suggesting exploitation opportunities are currently limited. The likely attack vector is remote, via crafted HTTP requests sent to the authenticator endpoint, and requires the attacker to possess a valid consumer key. Because the vulnerability only leads to a service denial rather than code execution, the impact is limited to availability degradation.