7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30167

GHSA ID

GHSA-33p9-3p43-82vq

EPSS Score

0.01292%

CWE

CWE-427

Published

6/4/2025

Updated

6/4/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-30167

CVE-2025-30167: Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Impact

On Windows, the shared %PROGRAMDATA% directory is searched for configuration files (SYSTEM_CONFIG_PATH and SYSTEM_JUPYTER_PATH), which may allow users to create configuration files affecting other users.

Only shared Windows systems with multiple users and unprotected %PROGRAMDATA% are affected.

Mitigations

upgrade to jupyter_core>=5.8.1 (5.8.0 is patched but breaks jupyter-server) , or
as administrator, modify the permissions on the %PROGRAMDATA% directory so it is not writable by unauthorized users, or
as administrator, create the %PROGRAMDATA%\jupyter directory with appropriately restrictive permissions, or
as user or administrator, set the %PROGRAMDATA% environment variable to a directory with appropriately restrictive permissions (e.g. controlled by administrators or the current user)

Credit

Reported via Trend Micro Zero Day Initiative as ZDI-CAN-25932

(GitHub Advisory)

7.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-30167

GHSA ID

GHSA-33p9-3p43-82vq

EPSS Score

0.01292%

CWE

CWE-427

Published

6/4/2025

Updated

6/4/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
jupyter_core	pip	< 5.8.0	5.8.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Jupyter Core's handling of configuration file paths on Windows, specifically concerning the SYSTEM_CONFIG_PATH variable which can be derived from the %PROGRAMDATA% directory. If this directory has weak permissions, an attacker can place malicious configuration files that would be loaded by Jupyter processes, potentially leading to local privilege escalation. The function jupyter_core.paths.jupyter_config_path() is identified as the key vulnerable function because it assembles the list of search paths, including the potentially insecure SYSTEM_CONFIG_PATH. The provided patch (commit 0d225fda61f0edff01d1dfa826764482070dd8c3) modifies the logic in jupyter_core/paths.py to ensure that SYSTEM_CONFIG_PATH defaults to more secure alternatives (like ENV_CONFIG_PATH, which is typically sys.prefix/etc/jupyter) when the safety of using %PROGRAMDATA% cannot be guaranteed (e.g., when _use_programdata is false, or _win_programdata is not set). This change prevents jupyter_config_path() from returning a path list that includes an easily exploitable shared directory by default under vulnerable conditions. Any process using jupyter_config_path() to locate configuration files would have been susceptible.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t On Win*ows, t** s**r** `%PRO*R*M**T*%` *ir**tory is s**r**** *or *on*i*ur*tion *il*s (`SYST*M_*ON*I*_P*T*` *n* `SYST*M_JUPYT*R_P*T*`), w*i** m*y *llow us*rs to *r**t* *on*i*ur*tion *il*s *****tin* ot**r us*rs. Only s**r** Win*ows syst*ms

Reasoning

T** vuln*r**ility li*s in Jupyt*r *or*'s **n*lin* o* *on*i*ur*tion *il* p*t*s on Win*ows, sp**i*i**lly *on**rnin* t** `SYST*M_*ON*I*_P*T*` v*ri**l* w*i** **n ** **riv** *rom t** `%PRO*R*M**T*%` *ir**tory. I* t*is *ir**tory **s w**k p*rmissions, *n *t

7.3

Basic Information

Concerned about an active attack path?

CVE-2025-30167: Jupyter Core on Windows Has Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

Impact

Mitigations

Credit

7.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI