CVE-2025-30167

Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users; or as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions; or as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators or the current user).

Database specific

{
    "cwe_ids": [
        "CWE-427"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/30xxx/CVE-2025-30167.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/jupyter/jupyter_core

Affected ranges

Type: GIT
Repo: https://github.com/jupyter/jupyter_core
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

ff5270b8a688af5494940b12dc347e9d563e8d91

Affected versions

4.*

4.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.0.6

4.1.0

4.1.1

4.10.0

4.11.0

4.11.1

4.2.0

4.2.1

4.3.0

4.4.0

4.5.0

4.6.0

4.6.1

4.6.2

4.6.3

4.7.0

4.7.0rc0

4.7.1

4.8.0

4.9.0

4.9.0rc0

4.9.1

4.9.1rc0

4.9.2

5.*

5.0.0rc0

5.0.0rc1

5.0.0rc2

v5.*

v5.0.0

v5.1.0

v5.1.1

v5.1.2

v5.1.3

v5.1.4

v5.1.5

v5.2.0

v5.3.0

v5.3.1

v5.3.2

v5.4.0

v5.5.0

v5.5.1

v5.6.0

v5.6.1

v5.7.0

v5.7.1

v5.7.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-30167.json"