CVE-2025-30167 Information

Description

Jupyter Core is a package for the core common functionality of Jupyter projects. When using Jupyter Core prior to version 5.8.0 on Windows the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH) which may allow users to create configuration files affecting other users. Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected. Users should upgrade to Jupyter Core version 5.8.0 or later to receive a patch. Some other mitigations are available. As administrator modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users; or as administrator create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions; or as user or administrator set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators or the current user).

Reference

https://github.com/jupyter/jupyter_core/security/advisories/GHSA-33p9-3p43-82vq