CVE-2025-53000

nbconvert has an uncontrolled search path that leads to unauthorized code execution on Windows

Description

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. This issue has been patched in version 7.17.0.

INFO

Published Date :

2025-12-17T20:27:59.578Z

Last Modified :

2026-02-18T18:36:34.309Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2025-53000 vulnerability.

Vendors	Products
Jupyter	Nbconvert
Microsoft	Windows

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-53000.

URL	Resource
https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104
https://github.com/jupyter/nbconvert/commit/c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71
https://github.com/jupyter/nbconvert/issues/2258
https://github.com/jupyter/nbconvert/releases/tag/v7.17.0
https://github.com/jupyter/nbconvert/security/advisories/GHSA-xm59-rqc7-hhvf
https://nvd.nist.gov/vuln/detail/CVE-2025-53000
https://www.cve.org/CVERecord?id=CVE-2025-53000
https://www.imperva.com/blog/code-execution-in-jupyter-notebook-exports