AI Threat Alert

CVE-2025-53000: nbconvert: security flaw enables exploitation

GHSA-xm59-rqc7-hhvf HIGH CISA: ATTEND
Published December 18, 2025
CISO Take

Jupyter nbconvert on Windows executes arbitrary batch scripts when converting SVG-containing notebooks to PDF, via an uncontrolled search path that picks up any inkscape.bat in the working directory. Any AI/ML team using Jupyter in shared or CI/CD environments on Windows is exposed. Patch to nbconvert 7.17.0 immediately and audit shared directories for unexpected .bat files.

What is the risk?

Moderate-to-high risk in AI/ML organizational contexts. While exploitation requires local write access to the directory from which nbconvert is invoked, this is realistic in shared Jupyter server environments, collaborative data science platforms, MLOps CI/CD pipelines pulling from shared artifact stores, and containerized notebook-to-report workflows. EPSS is currently negligible (0.00012), but the attack is trivial to execute once file placement is achieved. Impact is full arbitrary code execution with the privilege of the nbconvert process — typically a data scientist or service account with broad access to ML assets, datasets, and credentials.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
nbconvert pip < 7.17.0 7.17.0

Do you use nbconvert? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
0.2%
chance of exploitation in 30 days
Higher than 14% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What should I do?

6 steps

  1. PATCH

    Upgrade nbconvert to >= 7.17.0 immediately on all Windows systems (pip install --upgrade nbconvert).

  2. AUDIT

    Scan shared directories, project folders, and CI/CD artifact directories for unexpected .bat files, especially named after common executables (inkscape.bat, python.bat, etc.).

  3. HARDEN

    Run nbconvert via absolute paths and restrict the working directory for PDF exports to a controlled, write-protected location.

  4. DETECT

    Add file integrity monitoring alerts for .bat file creation in ML project directories and nbconvert working directories.

  5. WORKAROUND (pre-patch): Use --output-dir to control the working directory, or convert notebooks in isolated, ephemeral containers.

  6. PRINCIPLE

    Enforce least-privilege on service accounts running automated notebook conversions.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Supply Chain Framework AML.T0010.001 AML.T0011 AML.T0050 AML.T0074

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art.9 - Risk management system for high-risk AI
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system deployment risks
NIST AI RMF
GOVERN-6.1 - Policies and procedures for secure AI development MANAGE 2.2 - Mechanisms to Manage AI Risks MANAGE-2.2 - Risk treatment for AI system incidents MAP 5.1 - Likelihood of AI Vulnerabilities Assessed
OWASP LLM Top 10
LLM05-2025 - Insecure Output Handling LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-53000?

Jupyter nbconvert on Windows executes arbitrary batch scripts when converting SVG-containing notebooks to PDF, via an uncontrolled search path that picks up any inkscape.bat in the working directory. Any AI/ML team using Jupyter in shared or CI/CD environments on Windows is exposed. Patch to nbconvert 7.17.0 immediately and audit shared directories for unexpected .bat files.

Is CVE-2025-53000 actively exploited?

No confirmed active exploitation of CVE-2025-53000 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-53000?

1. PATCH: Upgrade nbconvert to >= 7.17.0 immediately on all Windows systems (`pip install --upgrade nbconvert`). 2. AUDIT: Scan shared directories, project folders, and CI/CD artifact directories for unexpected .bat files, especially named after common executables (inkscape.bat, python.bat, etc.). 3. HARDEN: Run nbconvert via absolute paths and restrict the working directory for PDF exports to a controlled, write-protected location. 4. DETECT: Add file integrity monitoring alerts for .bat file creation in ML project directories and nbconvert working directories. 5. WORKAROUND (pre-patch): Use `--output-dir` to control the working directory, or convert notebooks in isolated, ephemeral containers. 6. PRINCIPLE: Enforce least-privilege on service accounts running automated notebook conversions.

What systems are affected by CVE-2025-53000?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML development workflows, CI/CD pipelines for ML, shared Jupyter environments, notebook-based reporting automation.

What is the CVSS score for CVE-2025-53000?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

training pipelinesML development workflowsCI/CD pipelines for MLshared Jupyter environmentsnotebook-based reporting automation

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0011 User Execution
AML.T0050 Command and Scripting Interpreter
AML.T0074 Masquerading

Compliance Controls Affected

EU AI Act: Art.9
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN-6.1, MANAGE 2.2, MANAGE-2.2, MAP 5.1
OWASP LLM Top 10: LLM05-2025, LLM05:2025

What are the technical details?

Original Advisory

### Summary On Windows, converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a [Windows batch script](https://en.wikipedia.org/wiki/Batch_file), capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ `nbconvert` searches for an `inkscape` executable when converting notebooks to PDFs here: https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104 The MITRE page on [CWE-427 (Uncontrolled Search Path Element)](https://cwe.mitre.org/data/definitions/427.html) summarizes the root cause succinctly: > In Windows-based systems, when the `LoadLibrary` or `LoadLibraryEx` function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: > - the directory from which the program has been loaded > - the current working directory ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ 1. Create a directory containing: - A hidden bat file called `inkscape.bat` containing `msg * "You've been hacked!"` - A dummy ipynb file called `Machine_Learning.ipynb` 2. Run the command `jupyter nbconvert --to pdf Machine_Learning.ipynb`. 3. Wait a few seconds, and you should see a popup showing the message "You've been hacked!" ### Impact All Windows users.

Exploitation Scenario

An adversary with write access to a shared project directory on a Windows-based Jupyter or MLOps platform plants a file named inkscape.bat containing a reverse shell payload or credential harvester. When a data scientist or CI/CD job runs `jupyter nbconvert --to pdf` on any notebook with SVG output from that directory, Windows' uncontrolled search path resolution finds inkscape.bat before the legitimate inkscape binary. The batch script executes with full user privileges, enabling lateral movement to cloud storage buckets, model registries, or secrets managers accessible to the data science environment. The attack is entirely silent from the notebook author's perspective — the PDF may even still generate normally depending on the payload.

Weaknesses (CWE)

CWE-427 Uncontrolled Search Path Element Primary

CWE-427 — Uncontrolled Search Path Element: The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

  • [Architecture and Design, Implementation] Hard-code the search path to a set of known-safe values (such as system directories), or only allow them to be specified by the administrator in a configuration file. Do not allow these settings to be modified by an external party. Be careful to avoid related weaknesses such as CWE-426 and CWE-428.
  • [Implementation] When invoking other programs, specify those programs using fully-qualified pathnames. While this is an effective approach, code that uses fully-qualified pathnames might not be portable to other systems that do not use the same pathnames. The portability can be improved by locating the full-qualified paths in a centralized, easily-modifiable location within the source code, and having the code refer to these paths.

Source: MITRE CWE corpus.

References

Timeline

Published
December 18, 2025
Last Modified
February 10, 2026
First Seen
March 24, 2026

Related Vulnerabilities

CRITICAL CVE-2025-59528 10.0

Flowise: Unauthenticated RCE via MCP config injection

Same attack type: Supply Chain
CRITICAL CVE-2024-2912 10.0

BentoML: RCE via insecure deserialization (CVSS 10)

Same attack type: Supply Chain
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Supply Chain
CRITICAL CVE-2025-5120 10.0

smolagents: sandbox escape enables unauthenticated RCE

Same attack type: Supply Chain
CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Code Execution
Back to Threat Feed