Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
Description
Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users; or as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions; or as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyter_corePyPI | < 5.8.1 | 5.8.1 |
Affected products
10- osv-coords9 versionspkg:apk/chainguard/jupyter-base-notebook-oci-entrypointpkg:apk/chainguard/kubeflow-pipelines-visualization-serverpkg:apk/chainguard/tensorflow-cpu-jupyterpkg:apk/chainguard/tensorflow-gpu-jupyterpkg:apk/wolfi/jupyter-base-notebook-oci-entrypointpkg:apk/wolfi/kubeflow-pipelines-visualization-serverpkg:apk/wolfi/tensorflow-cpu-jupyterpkg:pypi/jupyter_corepkg:rpm/opensuse/python-jupyter-core&distro=openSUSE%20Tumbleweed
< 0.0.0_git20251013-r0+ 8 more
- (no CPE)range: < 0.0.0_git20251013-r0
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 0
- (no CPE)range: < 2.19.0-r3
- (no CPE)range: < 0.0.0_git20251013-r0
- (no CPE)range: < 2.5.0-r3
- (no CPE)range: < 0
- (no CPE)range: < 5.8.1
- (no CPE)range: < 5.8.1-1.1
- Range: < 5.8.0
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-33p9-3p43-82vqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-30167ghsaADVISORY
- github.com/jupyter/jupyter_core/commit/5e8965600adda6b416692ce7e85ecb2bd814bd52ghsax_refsource_MISCWEB
- github.com/jupyter/jupyter_core/security/advisories/GHSA-33p9-3p43-82vqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.