VYPR
High severityNVD Advisory· Published Jun 3, 2025· Updated Jan 23, 2026

Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

CVE-2025-30167

Description

Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users; or as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions; or as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
jupyter_corePyPI
< 5.8.15.8.1

Affected products

10

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.