logo

Database

External control of file name or path In jupyter-core

Description

Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Impact

On Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users.

Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected.

Mitigations

    upgrade to jupyter_core>=5.8.1 (5.8.0 is patched but breaks jupyter-server) , or

    as administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users, or

    as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions, or

    as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators or the current user)

Credit

Reported via Trend Micro Zero Day Initiative as ZDI-CAN-25932

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-301672. NVD-2025-301673. OSV-2025-301674. GHSA-33p9-3p43-82vq5. GCVE-2025-301676. GHSA-33p9-3p43-82vq

References

1. https://github.com/jupyter/jupyter_core2. https://github.com/jupyter/jupyter_core/security/advisories/GHSA-33p9-3p43-82vq3. https://github.com/jupyter/jupyter_core/commit/5e8965600adda6b416692ce7e85ecb2bd814bd52

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.