CVE-2025-53000
unknown
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
โ
Description
nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | nbconvert | <7.17.0 | 7.17.0 |
References
- https://github.com/jupyter/nbconvert/security/advisories/GHSA-xm59-rqc7-hhvf
- https://nvd.nist.gov/vuln/detail/CVE-2025-53000
- https://github.com/jupyter/nbconvert/issues/2258
- https://github.com/jupyter/nbconvert/commit/c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71
- https://github.com/jupyter/nbconvert
- https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104
- https://github.com/jupyter/nbconvert/releases/tag/v7.17.0
- https://www.imperva.com/blog/code-execution-in-jupyter-notebook-exports
- https://security-tracker.debian.org/tracker/CVE-2025-53000
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.