CVE-2025-30370: 
Python vulnerability analysis and mitigation

jupyterlab-git is a JupyterLab extension for version control using Git. A command injection vulnerability was discovered that affects versions up to and including 0.51.0. On many platforms, if a user starts jupyter-lab in a parent directory of a Git repository with a name containing shell command substitution syntax ($()), clicking 'Git > Open Git Repository in Terminal' executes the injected command in the user's shell without permission. The vulnerability was disclosed on April 3, 2025, and has been fixed in version 0.51.1 (GitHub Advisory).

The vulnerability occurs because when opening a Git repository in terminal, jupyterlab-git runs the cd command through the shell to set the current directory. If the repository name contains command substitution syntax ($()), these commands are executed by the shell. The issue affects macOS and most Linux distributions where such directory names are allowed. The vulnerability has been assigned CVE-2025-30370 with a CVSS v3.1 score of 7.4 (High), based on vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H (GitHub Advisory).

This vulnerability allows for arbitrary code execution via command injection. An attacker can exploit this to perform various malicious actions including modifying files, exfiltrating data, halting services, or compromising the server's security rules. The impact is significant as it provides unauthorized access to execute commands with the privileges of the JupyterLab user (GitHub Advisory).

Users should upgrade to version 0.51.1 or later which contains the fix. For users unable to upgrade, three workaround options are available: 1) Disable terminals on jupyter-server level by setting c.ServerApp.terminals_enabled = False, 2) Disable the terminals server extension using 'jupyter server extension disable jupyter_server_terminals', or 3) Disable the lab extension using 'jupyter labextension disable @jupyterlab/terminal-extension' (GitHub Advisory).