CVE-2025-30167 — Uncontrolled Search Path Element in Core

CWE-427 — Uncontrolled Search Path Element5 documents4 sources

Severity

7.3HIGHNVD

EPSS

0.1%

top 80.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jupyter Core Debian Jupyter-core

Timeline

PublishedJun 3

Latest updateJun 4

Description

Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to recei…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9

Affected Packages3 packages

▶NVDjupyter/jupyter_core< 5.8.0

▶PyPIjupyter/jupyter_core< 5.8.1

▶debiandebian/jupyter-core

🔴Vulnerability Details

OSV

Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability↗2025-06-04

▶

GHSA

Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability↗2025-06-04

▶

OSV

CVE-2025-30167: Jupyter Core is a package for the core common functionality of Jupyter projects↗2025-06-03

▶

📋Vendor Advisories

Debian

CVE-2025-30167: jupyter-core - Jupyter Core is a package for the core common functionality of Jupyter projects....↗2025

▶