AI Threat Alert

CVE-2025-30167: jupyter_core: config hijack enables cross-user code exec

GHSA-33p9-3p43-82vq HIGH PoC AVAILABLE
Published June 4, 2025
CISO Take

Jupyter Core on shared Windows systems allows any local user to plant malicious configuration files that execute when other users start Jupyter sessions—potentially exfiltrating model weights, training data, and API credentials. Patch to 5.8.1 immediately; if delayed, lock %PROGRAMDATA%\jupyter with admin-only write permissions via Group Policy. JupyterHub deployments and shared data science workstations on Windows are the highest-risk environments.

What is the risk?

Risk is HIGH for shared Windows environments running Jupyter. Exploitation is trivial—requires only a local user account and default write access to %PROGRAMDATA%, which is permissive on many Windows deployments. Attack surface is narrow: Windows-only, multi-user systems, requires victim to initiate a Jupyter session. Low EPSS (0.00023) and absence from CISA KEV suggest no active exploitation in the wild. Organizations running JupyterHub or shared ML workstations on Windows should treat this as urgent given the sensitivity of data typically processed in these environments.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Jupyter pip < 5.8.0 5.8.1
13.2K OpenSSF 5.8 1.9K dependents Pushed 4d ago 79% patched ~9d to patch Full package profile →

Do you use Jupyter? You're affected.

How severe is it?

CVSS 3.1
7.3 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 4% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI Required
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Upgrade to jupyter_core >= 5.8.1 (5.8.0 is patched but breaks jupyter-server; skip it).

  2. RESTRICT

    As administrator, set restrictive ACLs on %PROGRAMDATA%\jupyter so only SYSTEM/Administrators can write—deploy via Group Policy for scale.

  3. REDIRECT

    Set %PROGRAMDATA% to an admin-controlled path via Group Policy to contain the attack surface.

  4. DETECT

    Audit %PROGRAMDATA%\jupyter for unexpected files (jupyter_notebook_config.py, jupyter_server_config.py, custom.js, startup/ scripts). Alert on writes by non-admin accounts.

  5. INVENTORY

    Identify all Windows-based Jupyter deployments—JupyterHub, Anaconda, VS Code Jupyter—and prioritize shared systems.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Data Extraction Framework Training Data AML.T0010.001 AML.T0037 AML.T0055 AML.T0081

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.9.3 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to inventory AI systems and manage associated risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-30167?

Jupyter Core on shared Windows systems allows any local user to plant malicious configuration files that execute when other users start Jupyter sessions—potentially exfiltrating model weights, training data, and API credentials. Patch to 5.8.1 immediately; if delayed, lock %PROGRAMDATA%\jupyter with admin-only write permissions via Group Policy. JupyterHub deployments and shared data science workstations on Windows are the highest-risk environments.

Is CVE-2025-30167 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-30167, increasing the risk of exploitation.

How to fix CVE-2025-30167?

1. PATCH: Upgrade to jupyter_core >= 5.8.1 (5.8.0 is patched but breaks jupyter-server; skip it). 2. RESTRICT: As administrator, set restrictive ACLs on %PROGRAMDATA%\jupyter so only SYSTEM/Administrators can write—deploy via Group Policy for scale. 3. REDIRECT: Set %PROGRAMDATA% to an admin-controlled path via Group Policy to contain the attack surface. 4. DETECT: Audit %PROGRAMDATA%\jupyter for unexpected files (jupyter_notebook_config.py, jupyter_server_config.py, custom.js, startup/ scripts). Alert on writes by non-admin accounts. 5. INVENTORY: Identify all Windows-based Jupyter deployments—JupyterHub, Anaconda, VS Code Jupyter—and prioritize shared systems.

What systems are affected by CVE-2025-30167?

This vulnerability affects the following AI/ML architecture patterns: Jupyter notebook environments, JupyterHub multi-user deployments, ML training pipelines, Shared data science workstations, Agent frameworks using Jupyter kernels, VS Code Jupyter extension environments.

What is the CVSS score for CVE-2025-30167?

CVE-2025-30167 has a CVSS v3.1 base score of 7.3 (HIGH). The EPSS exploitation probability is 0.15%.

What is the AI security impact?

Affected AI Architectures

Jupyter notebook environmentsJupyterHub multi-user deploymentsML training pipelinesShared data science workstationsAgent frameworks using Jupyter kernelsVS Code Jupyter extension environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0037 Data from Local System
AML.T0055 Unsecured Credentials
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

## Impact On Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected. ## Mitigations - upgrade to `jupyter_core>=5.8.1` (5.8.0 is patched but breaks `jupyter-server`) , or - as administrator, modify the permissions on the `%PROGRAMDATA%` directory so it is not writable by unauthorized users, or - as administrator, create the `%PROGRAMDATA%\jupyter` directory with appropriately restrictive permissions, or - as user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user) ## Credit Reported via Trend Micro Zero Day Initiative as ZDI-CAN-25932

Exploitation Scenario

An attacker with a low-privileged Windows domain account on a shared ML research server writes a malicious jupyter_notebook_config.py to %PROGRAMDATA%\jupyter\. The file registers a kernel startup hook that silently exfiltrates environment variables (including OPENAI_API_KEY, AWS credentials, HuggingFace tokens) and scans for .ipynb files containing embedded secrets. A senior ML engineer logs in, launches their training notebook, and their credentials plus in-progress model checkpoints are exfiltrated to an attacker-controlled endpoint. On JupyterHub Windows deployments, a single compromised student or contractor account can persist access affecting all platform users until the malicious config is discovered.

Weaknesses (CWE)

CWE-427 Uncontrolled Search Path Element Primary

CWE-427 — Uncontrolled Search Path Element: The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

  • [Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
  • [Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 4, 2025
Last Modified
January 23, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2023-25574 10.0

JupyterHub LTI13: JWT forgery enables full auth bypass

Same package: jupyter
CRITICAL CVE-2026-44180 9.8

Jupyter Enterprise Gateway: root privilege bypass in Kubernetes

Same package: jupyter
HIGH CVE-2026-42266 8.8

JupyterLab: Extension allow-list bypass enables privesc

Same package: jupyter
HIGH CVE-2026-5422 8.1

jupyter-server: path traversal exposes sibling dir files

Same package: jupyter
HIGH CVE-2025-30370 7.4

jupyterlab-git: command injection via malicious repo name

Same package: jupyter
Back to Threat Feed