CVE-2025-53000 — HIGH AI Security Vulnerability

CISO Take

Jupyter nbconvert on Windows executes arbitrary batch scripts when converting SVG-containing notebooks to PDF, via an uncontrolled search path that picks up any inkscape.bat in the working directory. Any AI/ML team using Jupyter in shared or CI/CD environments on Windows is exposed. Patch to nbconvert 7.17.0 immediately and audit shared directories for unexpected .bat files.

Risk Assessment

Moderate-to-high risk in AI/ML organizational contexts. While exploitation requires local write access to the directory from which nbconvert is invoked, this is realistic in shared Jupyter server environments, collaborative data science platforms, MLOps CI/CD pipelines pulling from shared artifact stores, and containerized notebook-to-report workflows. EPSS is currently negligible (0.00012), but the attack is trivial to execute once file placement is achieved. Impact is full arbitrary code execution with the privilege of the nbconvert process — typically a data scientist or service account with broad access to ML assets, datasets, and credentials.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
nbconvert	pip	< 7.17.0	`7.17.0`

Do you use nbconvert? You're affected.

Severity & Risk

CVSS 3.1

N/A

EPSS

0.0%

chance of exploitation in 30 days

Higher than 4% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Recommended Action

6 steps

PATCH

Upgrade nbconvert to >= 7.17.0 immediately on all Windows systems (pip install --upgrade nbconvert).
AUDIT

Scan shared directories, project folders, and CI/CD artifact directories for unexpected .bat files, especially named after common executables (inkscape.bat, python.bat, etc.).
HARDEN

Run nbconvert via absolute paths and restrict the working directory for PDF exports to a controlled, write-protected location.
DETECT

Add file integrity monitoring alerts for .bat file creation in ML project directories and nbconvert working directories.
WORKAROUND (pre-patch): Use --output-dir to control the working directory, or convert notebooks in isolated, ephemeral containers.
PRINCIPLE

Enforce least-privilege on service accounts running automated notebook conversions.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework AML.T0010.001 - AI Software AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0074 - Masquerading

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.9 - Risk management system for high-risk AI

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system deployment risks

NIST AI RMF

GOVERN-6.1 - Policies and procedures for secure AI development MANAGE 2.2 - Mechanisms to Manage AI Risks MANAGE-2.2 - Risk treatment for AI system incidents MAP 5.1 - Likelihood of AI Vulnerabilities Assessed

OWASP LLM Top 10

LLM05-2025 - Insecure Output Handling LLM05:2025 - Improper Output Handling

Frequently Asked Questions

What is CVE-2025-53000?

Jupyter nbconvert on Windows executes arbitrary batch scripts when converting SVG-containing notebooks to PDF, via an uncontrolled search path that picks up any inkscape.bat in the working directory. Any AI/ML team using Jupyter in shared or CI/CD environments on Windows is exposed. Patch to nbconvert 7.17.0 immediately and audit shared directories for unexpected .bat files.

Is CVE-2025-53000 actively exploited?

No confirmed active exploitation of CVE-2025-53000 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-53000?

1. PATCH: Upgrade nbconvert to >= 7.17.0 immediately on all Windows systems (`pip install --upgrade nbconvert`). 2. AUDIT: Scan shared directories, project folders, and CI/CD artifact directories for unexpected .bat files, especially named after common executables (inkscape.bat, python.bat, etc.). 3. HARDEN: Run nbconvert via absolute paths and restrict the working directory for PDF exports to a controlled, write-protected location. 4. DETECT: Add file integrity monitoring alerts for .bat file creation in ML project directories and nbconvert working directories. 5. WORKAROUND (pre-patch): Use `--output-dir` to control the working directory, or convert notebooks in isolated, ephemeral containers. 6. PRINCIPLE: Enforce least-privilege on service accounts running automated notebook conversions.

What systems are affected by CVE-2025-53000?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, ML development workflows, CI/CD pipelines for ML, shared Jupyter environments, notebook-based reporting automation.

What is the CVSS score for CVE-2025-53000?

No CVSS score has been assigned yet.

Technical Details

NVD Description

### Summary On Windows, converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a [Windows batch script](https://en.wikipedia.org/wiki/Batch_file), capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ `nbconvert` searches for an `inkscape` executable when converting notebooks to PDFs here: https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104 The MITRE page on [CWE-427 (Uncontrolled Search Path Element)](https://cwe.mitre.org/data/definitions/427.html) summarizes the root cause succinctly: > In Windows-based systems, when the `LoadLibrary` or `LoadLibraryEx` function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: > - the directory from which the program has been loaded > - the current working directory ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ 1. Create a directory containing: - A hidden bat file called `inkscape.bat` containing `msg * "You've been hacked!"` - A dummy ipynb file called `Machine_Learning.ipynb` 2. Run the command `jupyter nbconvert --to pdf Machine_Learning.ipynb`. 3. Wait a few seconds, and you should see a popup showing the message "You've been hacked!" ### Impact All Windows users.

Exploitation Scenario

An adversary with write access to a shared project directory on a Windows-based Jupyter or MLOps platform plants a file named inkscape.bat containing a reverse shell payload or credential harvester. When a data scientist or CI/CD job runs `jupyter nbconvert --to pdf` on any notebook with SVG output from that directory, Windows' uncontrolled search path resolution finds inkscape.bat before the legitimate inkscape binary. The batch script executes with full user privileges, enabling lateral movement to cloud storage buckets, model registries, or secrets managers accessible to the data science environment. The attack is entirely silent from the notebook author's perspective — the PDF may even still generate normally depending on the payload.