How to fix CVE-2025-30167?

Within 24 hours: Audit your environment to identify Windows systems running Jupyter Core versions prior to 5.8.0 with multiple user accounts and accessible %PROGRAMDATA% directories. Within 7 days: For systems meeting risk criteria, either apply Jupyter Core version 5.8.0 or later when available, or implement one of the three administrative mitigations (restrict %PROGRAMDATA% permissions, create isolated jupyter subdirectory with restrictive permissions, or redirect %PROGRAMDATA% environment variable). Within 30 days: Complete patching or mitigation deployment across all affected systems and validate permission settings through automated compliance checks.

Is Jupyter Core affected by CVE-2025-30167?

CVE-2025-30167 affects Jupyter Core on Windows systems where multiple users share access to unprotected configuration directories, potentially allowing unauthorized users to modify settings that impact other users.

CVE-2025-30167

EUVD-2025-16771 HIGH

2025-06-03 [email protected]

GHSA-33p9-3p43-82vq

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 14, 2026 - 17:04 euvd

EUVD-2025-16771

Analysis Generated

Mar 14, 2026 - 17:04 vuln.today

CVE Published

Jun 03, 2025 - 17:15 nvd

HIGH 7.3

Description

Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the `%PROGRAMDATA%` directory so it is not writable by unauthorized users; or as administrator, create the `%PROGRAMDATA%\jupyter` directory with appropriately restrictive permissions; or as user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user).

Analysis

A security vulnerability in Jupyter Core (CVSS 7.3) that allows users. High severity vulnerability requiring prompt remediation.

Technical Context

CWE-427 (Uncontrolled Search Path). CVSS 7.3 indicates high severity. Affects Jupyter Core.

Affected Products

['Jupyter Core']

Remediation

Monitor vendor channels for patch availability.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

Vendor Status

Ubuntu

Priority: Medium

jupyter-core

Release	Status	Version
bionic	needs-triage	-
focal	needs-triage	-
jammy	needs-triage	-
noble	needs-triage	-
upstream	needs-triage	-
oracular	ignored	end of life, was needs-triage
questing	needs-triage	-
plucky	ignored	end of life, was needs-triage

Debian

jupyter-core

Release	Status	Fixed Version	Urgency
bullseye (security), bullseye	fixed	4.7.1-1+deb11u1	-
bookworm	fixed	4.12.0-1	-
trixie	fixed	5.7.2-5	-
forky, sid	fixed	5.9.1-1	-
(unstable)	not-affected	-	-

CVE-2025-30167 vulnerability details – vuln.today

Back

CVE-2025-30167

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

CVE-2025-30167

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code