AI Threat Alert AI Threat Alert

CVE-2025-30167: jupyter_core: config hijack enables cross-user code exec

GHSA-33p9-3p43-82vq HIGH PoC AVAILABLE
Published June 4, 2025
CISO Take

Jupyter Core on shared Windows systems allows any local user to plant malicious configuration files that execute when other users start Jupyter sessions—potentially exfiltrating model weights, training data, and API credentials. Patch to 5.8.1 immediately; if delayed, lock %PROGRAMDATA%\jupyter with admin-only write permissions via Group Policy. JupyterHub deployments and shared data science workstations on Windows are the highest-risk environments.

Risk Assessment

Risk is HIGH for shared Windows environments running Jupyter. Exploitation is trivial—requires only a local user account and default write access to %PROGRAMDATA%, which is permissive on many Windows deployments. Attack surface is narrow: Windows-only, multi-user systems, requires victim to initiate a Jupyter session. Low EPSS (0.00023) and absence from CISA KEV suggest no active exploitation in the wild. Organizations running JupyterHub or shared ML workstations on Windows should treat this as urgent given the sensitivity of data typically processed in these environments.

Affected Systems

Package Ecosystem Vulnerable Range Patched
jupyter_core pip < 5.8.0 5.8.1

Do you use jupyter_core? You're affected.

Severity & Risk

CVSS 3.1
7.3 / 10
EPSS
0.1%
chance of exploitation in 30 days
Higher than 19% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI Required
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Upgrade to jupyter_core >= 5.8.1 (5.8.0 is patched but breaks jupyter-server; skip it).

  2. RESTRICT

    As administrator, set restrictive ACLs on %PROGRAMDATA%\jupyter so only SYSTEM/Administrators can write—deploy via Group Policy for scale.

  3. REDIRECT

    Set %PROGRAMDATA% to an admin-controlled path via Group Policy to contain the attack surface.

  4. DETECT

    Audit %PROGRAMDATA%\jupyter for unexpected files (jupyter_notebook_config.py, jupyter_server_config.py, custom.js, startup/ scripts). Alert on writes by non-admin accounts.

  5. INVENTORY

    Identify all Windows-based Jupyter deployments—JupyterHub, Anaconda, VS Code Jupyter—and prioritize shared systems.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Data Extraction Framework Training Data AML.T0010.001 AML.T0037 AML.T0055 AML.T0081

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 9 - Risk management system
ISO 42001
A.9.3 - AI system operation and monitoring
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to inventory AI systems and manage associated risks
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2025-30167?

Jupyter Core on shared Windows systems allows any local user to plant malicious configuration files that execute when other users start Jupyter sessions—potentially exfiltrating model weights, training data, and API credentials. Patch to 5.8.1 immediately; if delayed, lock %PROGRAMDATA%\jupyter with admin-only write permissions via Group Policy. JupyterHub deployments and shared data science workstations on Windows are the highest-risk environments.

Is CVE-2025-30167 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-30167, increasing the risk of exploitation.

How to fix CVE-2025-30167?

1. PATCH: Upgrade to jupyter_core >= 5.8.1 (5.8.0 is patched but breaks jupyter-server; skip it). 2. RESTRICT: As administrator, set restrictive ACLs on %PROGRAMDATA%\jupyter so only SYSTEM/Administrators can write—deploy via Group Policy for scale. 3. REDIRECT: Set %PROGRAMDATA% to an admin-controlled path via Group Policy to contain the attack surface. 4. DETECT: Audit %PROGRAMDATA%\jupyter for unexpected files (jupyter_notebook_config.py, jupyter_server_config.py, custom.js, startup/ scripts). Alert on writes by non-admin accounts. 5. INVENTORY: Identify all Windows-based Jupyter deployments—JupyterHub, Anaconda, VS Code Jupyter—and prioritize shared systems.

What systems are affected by CVE-2025-30167?

This vulnerability affects the following AI/ML architecture patterns: Jupyter notebook environments, JupyterHub multi-user deployments, ML training pipelines, Shared data science workstations, Agent frameworks using Jupyter kernels, VS Code Jupyter extension environments.

What is the CVSS score for CVE-2025-30167?

CVE-2025-30167 has a CVSS v3.1 base score of 7.3 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

## Impact On Windows, the shared `%PROGRAMDATA%` directory is searched for configuration files (`SYSTEM_CONFIG_PATH` and `SYSTEM_JUPYTER_PATH`), which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected `%PROGRAMDATA%` are affected. ## Mitigations - upgrade to `jupyter_core>=5.8.1` (5.8.0 is patched but breaks `jupyter-server`) , or - as administrator, modify the permissions on the `%PROGRAMDATA%` directory so it is not writable by unauthorized users, or - as administrator, create the `%PROGRAMDATA%\jupyter` directory with appropriately restrictive permissions, or - as user or administrator, set the `%PROGRAMDATA%` environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators _or_ the current user) ## Credit Reported via Trend Micro Zero Day Initiative as ZDI-CAN-25932

Exploitation Scenario

An attacker with a low-privileged Windows domain account on a shared ML research server writes a malicious jupyter_notebook_config.py to %PROGRAMDATA%\jupyter\. The file registers a kernel startup hook that silently exfiltrates environment variables (including OPENAI_API_KEY, AWS credentials, HuggingFace tokens) and scans for .ipynb files containing embedded secrets. A senior ML engineer logs in, launches their training notebook, and their credentials plus in-progress model checkpoints are exfiltrated to an attacker-controlled endpoint. On JupyterHub Windows deployments, a single compromised student or contractor account can persist access affecting all platform users until the malicious config is discovered.

Weaknesses (CWE)

CWE-427 Uncontrolled Search Path Element Primary

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

References

Timeline

Published
June 4, 2025
Last Modified
January 23, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
Back to Threat Feed