Command Injection Vulnerability in JupyterLab Git Extension by Jupyter
CVE-2025-30370

7.4HIGH

Key Information:

Vendor

Jupyterlab

Status
Jupyterlab-git
Vendor
CVE Published:
3 April 2025

What is CVE-2025-30370?

The jupyterlab-git extension for JupyterLab is vulnerable to a command injection issue due to the improper handling of directory names that contain shell command substitution strings. This vulnerability allows unauthorized execution of commands when a user interacts with the Git repository feature, potentially compromising the user's shell environment. This happens when the terminal is opened in a parent directory of a maliciously named Git repository. An incomplete fix has previously been issued, but the latest version 0.51.1 addresses this critical security concern.

Affected Version(s)

jupyterlab-git < 0.51.1

References

https://github.com/jupyterlab/jupyterlab-git/security/adv...
x_refsource_CONFIRM
https://github.com/jupyterlab/jupyterlab-git/pull/1196
x_refsource_MISC
https://github.com/jupyterlab/jupyterlab-git/commit/b4648...
x_refsource_MISC

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.