Skip to main content

Jupyter Core CVE-2025-30167

| EUVDEUVD-2025-16771 HIGH
Uncontrolled Search Path Element (CWE-427)
2025-06-03 security-advisories@github.com GHSA-33p9-3p43-82vq
7.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.3 HIGH
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
HIGH
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 17:04 euvd
EUVD-2025-16771
Analysis Generated
Mar 14, 2026 - 17:04 vuln.today
CVE Published
Jun 03, 2025 - 17:15 nvd
HIGH 7.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 14 pypi packages depend on jupyter-core (14 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.8.1.

DescriptionGitHub Advisory

Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users; or as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions; or as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user).

AnalysisAI

A security vulnerability in Jupyter Core (CVSS 7.3) that allows users. High severity vulnerability requiring prompt remediation.

Technical ContextAI

CWE-427 (Uncontrolled Search Path). CVSS 7.3 indicates high severity. Affects Jupyter Core.

RemediationAI

Monitor vendor channels for patch availability.

Vendor StatusVendor

Ubuntu

Priority: Medium
jupyter-core
Release Status Version
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
oracular ignored end of life, was needs-triage
questing needs-triage -
plucky ignored end of life, was needs-triage

Debian

jupyter-core
Release Status Fixed Version Urgency
bullseye (security), bullseye fixed 4.7.1-1+deb11u1 -
bookworm fixed 4.12.0-1 -
trixie fixed 5.7.2-5 -
forky, sid fixed 5.9.1-1 -
(unstable) not-affected - -

SUSE

Severity: High
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2025-30167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy