CVE-2025-30167: 
Python vulnerability analysis and mitigation

Jupyter Core, a package providing core common functionality for Jupyter projects, was found to have a local privilege escalation vulnerability (CVE-2025-30167) affecting versions prior to 5.8.0. The vulnerability was discovered and disclosed on June 3, 2025, affecting Windows systems where the shared %PROGRAMDATA% directory is searched for configuration files (GitHub Advisory).

The vulnerability stems from an uncontrolled search path element where the application searches for configuration files (SYSTEMCONFIGPATH and SYSTEMJUPYTERPATH) in the shared %PROGRAMDATA% directory on Windows systems. This implementation could allow users to create configuration files that affect other users on the system. The vulnerability has been assigned a CVSS v3.1 score of 7.3 (High) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating local access requirements but high potential impact (GitHub Advisory).

The vulnerability affects shared Windows systems with multiple users and unprotected %PROGRAMDATA% directories. Successful exploitation could allow unauthorized users to create configuration files that impact other users on the system, potentially leading to privilege escalation and unauthorized access to system resources (GitHub Advisory).

Several mitigation options are available: 1) Upgrade to jupytercore version 5.8.0 or later (note that version 5.8.0 is patched but has compatibility issues with jupyter-server), 2) As administrator, modify the permissions on the %PROGRAMDATA% directory to prevent unauthorized write access, 3) As administrator, create the %PROGRAMDATA%\jupyter directory with restrictive permissions, or 4) Set the %PROGRAMDATA% environment variable to a directory with appropriate permissions ([GitHub Advisory](https://github.com/jupyter/jupytercore/security/advisories/GHSA-33p9-3p43-82vq)).