CVE-2025-53000 Overview
CVE-2025-53000 is an untrusted search path vulnerability [CWE-427] in jupyter nbconvert, the command-line tool that converts Jupyter notebooks into formats such as PDF using Jinja templates. On Windows platforms, versions up to and including 7.16.6 execute an inkscape.bat file from the current working directory when converting a notebook containing SVG output to PDF. An attacker who plants a malicious inkscape.bat in a directory a user later runs jupyter nbconvert --to pdf from achieves arbitrary code execution in the user's context. The Jupyter project patched the issue in nbconvert 7.17.0 by resolving Inkscape via the Windows registry and blocking lookups in the current working directory.
Critical Impact
Arbitrary local code execution on Windows when a user converts a notebook containing SVG output to PDF from a directory containing a malicious inkscape.bat.
Affected Products
- Jupyter nbconvert versions up to and including 7.16.6 (Python package)
- Microsoft Windows platforms running the affected nbconvert versions
- Jupyter notebook workflows using --to pdf with SVG outputs via the svg2pdf preprocessor
Discovery Timeline
- 2025-12-17 - CVE-2025-53000 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-53000
Vulnerability Analysis
The vulnerability lives in the svg2pdf preprocessor at nbconvert/preprocessors/svg2pdf.py. When converting a notebook containing SVG output to PDF, nbconvert invokes Inkscape to rasterize the SVG. On Windows, the original code located the Inkscape binary using shutil.which("inkscape"), which honors the PATHEXT resolution rules and includes the current working directory in its lookup order. As a result, an inkscape.bat placed in the directory from which jupyter nbconvert is invoked is selected ahead of the legitimate Inkscape installation. The batch script then runs as a child of the Python process and inherits the user's privileges, enabling arbitrary command execution.
Root Cause
The root cause is reliance on PATH-based binary resolution that includes untrusted locations, specifically the current working directory, without validating the source of the executable. This is a classic untrusted search path weakness [CWE-427]. The fix in commit c9ac1d1 resolves Inkscape through the Windows registry first and explicitly excludes the current working directory from the search.
Attack Vector
Exploitation requires local access and user interaction. An attacker stages a malicious inkscape.bat in a directory (for example, a shared notebook folder, a repository cloned by the victim, or a downloaded archive). When the victim opens a terminal in that directory and runs jupyter nbconvert --to pdf against any notebook containing SVG output, the planted batch file runs with the victim's privileges. No network access or elevated permissions are required.
import os
import subprocess
import sys
+import warnings
+from pathlib import Path
from shutil import which
from tempfile import TemporaryDirectory
Source: GitHub nbconvert Commit c9ac1d1
The patch introduces pathlib.Path and warnings to support registry-based Inkscape discovery and to emit a warning when the binary cannot be located safely, replacing the prior dependency on which() alone.
Detection Methods for CVE-2025-53000
Indicators of Compromise
- Presence of inkscape.bat in user home directories, Downloads folders, cloned Git repositories, or shared notebook directories on Windows hosts
- python.exe or jupyter.exe spawning cmd.exe /c inkscape.bat from a non-standard path outside Program Files
- Unexpected child processes (PowerShell, certutil, curl, bitsadmin) launched under a nbconvert invocation
Detection Strategies
- Hunt for process trees where jupyter-nbconvert or python executes .bat files from user-writable directories
- Alert on creation of inkscape.bat files outside legitimate Inkscape installation paths
- Correlate notebook conversion activity with outbound network connections or credential access events on the same host
Monitoring Recommendations
- Enable command-line auditing (Windows Event ID 4688 with command line) to capture nbconvert invocations and their child processes
- Inventory developer and data-science workstations for nbconvert versions and flag any below 7.17.0
- Monitor file creation events for inkscape.bat in directories commonly used as working directories for notebook conversion
How to Mitigate CVE-2025-53000
Immediate Actions Required
- Upgrade nbconvert to version 7.17.0 or later on all Windows hosts using pip install --upgrade nbconvert
- Audit Windows developer and analyst systems for any existing inkscape.bat files in user-writable directories and remove unauthorized instances
- Restrict jupyter nbconvert --to pdf operations to trusted working directories until patching is complete
Patch Information
The vulnerability is fixed in nbconvert 7.17.0. The patch resolves Inkscape via the Windows registry before falling back to PATH and explicitly blocks the current working directory from the search. Details are available in the GitHub Security Advisory GHSA-xm59-rqc7-hhvf, the nbconvert 7.17.0 Release Notes, and the upstream commit c9ac1d1.
Workarounds
- Run jupyter nbconvert only from trusted, controlled directories that do not contain untrusted files
- Avoid converting notebooks from cloned repositories or extracted archives without first inspecting the directory for .bat files
- Use a non-PDF output format (such as HTML) for notebooks from untrusted sources until the upgrade is applied
# Upgrade nbconvert to a patched version on Windows
python -m pip install --upgrade "nbconvert>=7.17.0"
# Verify the installed version
python -m pip show nbconvert | findstr /B "Version"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
