CVE-2025-30370 is a high-severity OS command injection vulnerability in jupyterlab-git (pip), affecting versions < 0.51.1. It is fixed in 0.51.1.
Overview On many platforms, a third party can create a Git repository under a name that includes a shell command substitution [^1] string in the syntax $(<command>). These directory names are allowed in macOS and a majority of Linux distributions [^2]. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks "Git > Open Git Repository in Terminal" from the menu bar, then the injected command <command> is run in the user's shell without the user's permission. This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd <git-repo-path> through the shell to set the current directory [^3]. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix [^4]. [^1]: https://www.gnu.org/software/bash/manual/htmlnode/Command-Substitution.html [^2]: https://www.gnu.org/software/libc/manual/htmlnode/File-Name-Portability.html [^3]: https://github.com/jupyterlab/jupyterlab-git/blob/7eb3b06f0092223bd5494688ec264527bbeb2195/src/commandsAndMenu.tsx#L175-L184 [^4]: https://github.com/jupyterlab/jupyterlab-git/pull/1196 Scope of Impact This issue allows for arbitrary code execution via command injection. A wide range of actions are permitted by this issue, including but not limited to: modifying files, exfiltrating data, halting services, or compromising the server's security rules. We have scanned the source code of jupyterlab-git for other command injection risks, and have not found any at the time of writing. This issue was reproduced on the latest release of jupyterlab-git, v0.51.0. The steps taken to reproduce this issue are described in the "Proof-of-concept" section below. Proof-of-concept Create a new directory via mkdir test/ && cd test/. Create a new Git repository under test/ with a command substitution string in the directory name by running these commands: Start JupyterLab from test/ by running jupyter lab. With JupyterLab open in the browser, double click on $(touch pwned.txt) in the file browser. From the top menu bar, click "Git > Open Git Repository in Terminal". Verify that pwned.txt is created under test/. This demonstrates the command injection issue described here. Proof-of-concept mitigation The issue can be mitigated by the patch shown below. <details><summary>Patch (click to expand)</summary> </details> This patch removes the cd <git-repo-path> shell command that causes the issue. To preserve the existing behavior, the cwd argument is set to <git-repo-path> when a terminal session is created via the terminal:create-new JupyterLab command. This preserves the existing application behavior while mitigating the command injection issue. We have verified that this patch works when applied to a local installation of jupyterlab-git. We have also verified that the cwd argument is available in all versions of JupyterLab 4, so this patch should be fully backwards-compatible. Workarounds We recommend that users upgrade to the patched versions listed on this GHSA. However, if a user is unable to upgrade, there are 3 different ways to mitigate this vulnerability without upgrading to a patch. Disable terminals on jupyter-server level: c.ServerApp.terminalsenabled = False Disable the terminals server extension: jupyter server extension disable jupyterserver_terminals Disable the lab extension: jupyter labextension disable @jupyterlab/terminal-extension
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2025-30370 has a CVSS score of 7.4 (High). The vector is requires local access, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (0.51.1). Upgrading removes the vulnerable code path.
pip
jupyterlab-git (< 0.51.1)jupyterlab-git → 0.51.1 (pip)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2025-30370 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2025-30370 is reachable in your applications. Get a demo
Upgrade jupyterlab-git to 0.51.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2025-30370 is a high-severity OS command injection vulnerability in jupyterlab-git (pip), affecting versions < 0.51.1. It is fixed in 0.51.1. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
CVE-2025-30370 has a CVSS score of 7.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
jupyterlab-git (pip) versions < 0.51.1 is affected.
Yes. CVE-2025-30370 is fixed in 0.51.1. Upgrade to this version or later.
Whether CVE-2025-30370 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade jupyterlab-git to 0.51.1 or later.