CVE-2025-30167

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-30167
Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the `%PROGRAMDATA%` directory so it is not writable by unauthorized users; or as administrator, create the `%PROGRAMDATA%\jupyter` directory with appropriately restrictive permissions; or as user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user).

7.3 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/jupyter/jupyter_core/security/advisories/GHSA-33p9-3p43-82vq Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:jupyter:jupyter_core:*:*:*:*:*:*:*:*
History

08 Sep 2025, 21:55

Type Values Removed Values Added
First Time Jupyter jupyter Core
Jupyter
References () https://github.com/jupyter/jupyter_core/security/advisories/GHSA-33p9-3p43-82vq - () https://github.com/jupyter/jupyter_core/security/advisories/GHSA-33p9-3p43-82vq - Vendor Advisory
CPE cpe:2.3:a:jupyter:jupyter_core:*:*:*:*:*:*:*:*

04 Jun 2025, 14:54

Type Values Removed Values Added
Summary
  • (es) Jupyter Core es un paquete para la funcionalidad principal común de los proyectos de Jupyter. Al usar Jupyter Core antes de la versión 5.8.0 en Windows, se buscan archivos de configuración (`SYSTEM_CONFIG_PATH` y `SYSTEM_JUPYTER_PATH`) en el directorio compartido `%PROGRAMDATA%`, lo que puede permitir que los usuarios creen archivos de configuración que afecten a otros usuarios. Solo se ven afectados los sistemas Windows compartidos con varios usuarios y `%PROGRAMDATA%` sin protección. Los usuarios deben actualizar a Jupyter Core versión 5.8.0 o posterior para recibir un parche. Hay otras mitigaciones disponibles. Como administrador, modifique los permisos del directorio `%PROGRAMDATA%` para que usuarios no autorizados no puedan escribir en él; o como administrador, cree el directorio `%PROGRAMDATA%\jupyter` con los permisos restrictivos adecuados. o como usuario o administrador, configure la variable de entorno `%PROGRAMDATA%` en un directorio con permisos restrictivos apropiados (por ejemplo, controlado por administradores _o_ el usuario actual).

03 Jun 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-03 17:15

Updated : 2025-09-08 21:55

NVD link : CVE-2025-30167

Mitre link : CVE-2025-30167

CVE.ORG link : CVE-2025-30167

JSON object : View

Products Affected

jupyter

  • jupyter_core
CWE
CWE-427

Uncontrolled Search Path Element