CVE-2025-30370

Summary

CVE-2025-30370 is a vulnerability affecting the jupyterlab-git extension for JupyterLab, which allows users to perform version control using Git. On macOS and most Linux distributions, Git repositories with directory names containing shell command substitution strings can be created. If a user starts JupyterLab in the parent directory of such a repository and clicks "Git > Open Git Repository in Terminal" from the menu bar, the injected command within the directory name is executed in the user's shell without their permission. This occurs because jupyterlab-git opens the terminal and runs cd <git-repo-path>, which executes any command substitution strings present in the directory name, leading to command injection. An earlier patch provided an incomplete fix, but this issue is resolved in version 0.51.1.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.