Unauthorized Code Execution in Jupyter nbconvert on Windows
CVE-2025-53000

8.5HIGH

Key Information:

Vendor

Jupyter

Status
Nbconvert
Vendor
CVE Published:
17 December 2025

What is CVE-2025-53000?

The nbconvert tool, used for converting Jupyter notebooks to various formats, is susceptible to a vulnerability when handling SVG output on Windows systems. This issue allows a malicious third party to create an inkscape.bat file within a directory containing a notebook. When a user executes the command jupyter nbconvert --to pdf on such a notebook, the inkscape.bat file is triggered, leading to arbitrary code execution. As of now, no patches have been released to address this vulnerability, highlighting an important security concern for users operating on Windows.

Affected Version(s)

nbconvert < 7.17.0

References

https://github.com/jupyter/nbconvert/security/advisories/...
x_refsource_CONFIRM
https://github.com/jupyter/nbconvert/issues/2258
x_refsource_MISC
https://github.com/jupyter/nbconvert/commit/c9ac1d1040459...
x_refsource_MISC

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.