CVE-2025-30167
Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the `%PROGRAMDATA%` directory so it is not writable by unauthorized users; or as administrator, create the `%PROGRAMDATA%\jupyter` directory with appropriately restrictive permissions; or as user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user).
Reserved 2025-03-17 | Published 2025-06-03 | Updated 2025-06-03 | Assigner GitHub_MCWE-427: Uncontrolled Search Path Element
github.com/...r_core/security/advisories/GHSA-33p9-3p43-82vq
Support options
