Home

Description

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. As of time of publication, no known patches exist.

PUBLISHED Reserved 2025-06-24 | Published 2025-12-17 | Updated 2025-12-18 | Assigner GitHub_M




HIGH: 8.5CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-427 Uncontrolled Search Path Element

Product status

Default status
unaffected

Any version
affected

References

www.imperva.com/...ode-execution-in-jupyter-notebook-exports exploit

www.imperva.com/...ode-execution-in-jupyter-notebook-exports

cve.org (CVE-2025-53000)

nvd.nist.gov (CVE-2025-53000)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.