CVE-2025-53000

### Summary On Windows, converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a [Windows batch script](https://en.wikipedia.org/wiki/Batch_file), capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. ### Details _Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer._ `nbconvert` searches for an `inkscape` executable when converting notebooks to PDFs here: https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104 The MITRE page on [CWE-427 (Uncontrolled Search Path Element)](https://cwe.mitre.org/data/definitions/427.html) summarizes the root cause succinctly: > In Windows-based systems, when the `LoadLibrary` or `LoadLibraryEx` function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled: > - the directory from which the program has been loaded > - the current working directory ### PoC _Complete instructions, including specific configuration details, to reproduce the vulnerability._ 1. Create a directory containing: - A hidden bat file called `inkscape.bat` containing `msg * "You've been hacked!"` - A dummy ipynb file called `Machine_Learning.ipynb` 2. Run the command `jupyter nbconvert --to pdf Machine_Learning.ipynb`. 3. Wait a few seconds, and you should see a popup showing the message "You've been hacked!" ### Impact All Windows users.

An adversary with write access to a shared project directory on a Windows-based Jupyter or MLOps platform plants a file named inkscape.bat containing a reverse shell payload or credential harvester. When a data scientist or CI/CD job runs `jupyter nbconvert --to pdf` on any notebook with SVG output from that directory, Windows' uncontrolled search path resolution finds inkscape.bat before the legitimate inkscape binary. The batch script executes with full user privileges, enabling lateral movement to cloud storage buckets, model registries, or secrets managers accessible to the data science environment. The attack is entirely silent from the notebook author's perspective — the PDF may even still generate normally depending on the payload.