CVE-2025-30370
Description
jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command is run in the user's shell without the user's permission. This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd through the shell to set the current directory. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix. This vulnerability is fixed in 0.51.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
jupyterlab-gitPyPI | < 0.51.1 | 0.51.1 |
Affected products
2- Range: v0.21.0, v0.21.0a0, v0.21.0a1, …
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-cj5w-8mjf-r5f8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-30370ghsaADVISORY
- github.com/jupyterlab/jupyterlab-git/blob/7eb3b06f0092223bd5494688ec264527bbeb2195/src/commandsAndMenu.tsxnvdWEB
- github.com/jupyterlab/jupyterlab-git/commit/b46482993f76d3a546015c6a94ebed8b77fc2376nvdWEB
- github.com/jupyterlab/jupyterlab-git/pull/1196nvdWEB
- github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-cj5w-8mjf-r5f8nvdWEB
News mentions
0No linked articles in our index yet.