QwikSec

Security Database

CVE

CWE

Training

CVE-2025-53000

Published: Dec 17, 2025

Modified: Feb 18, 2026

PUBLISHED

Description

The nbconvert tool, jupyter nbconvert, converts Jupyter notebooks to various other formats via Jinja templates. Versions of nbconvert up to and including 7.16.6 on Windows have a vulnerability in which converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a `inkscape.bat` file that defines a Windows batch script, capable of arbitrary code execution. When a user runs `jupyter nbconvert --to pdf` on a notebook containing SVG output to a PDF on a Windows platform from this directory, the `inkscape.bat` file is run unexpectedly. This issue has been patched in version 7.17.0.

Vendor	Product	Versions
jupyter	nbconvert	affected `< 7.17.0`

Weaknesses (CWE)

References

https://github.com/jupyter/nbconvert/security/advisories/GHSA-xm59-rqc7-hhvf

x_refsource_CONFIRM

https://github.com/jupyter/nbconvert/issues/2258

x_refsource_MISC

https://github.com/jupyter/nbconvert/commit/c9ac1d1040459ed1ff9eb34e9918ce5a87cf9d71

x_refsource_MISC

https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104

x_refsource_MISC

https://github.com/jupyter/nbconvert/releases/tag/v7.17.0

x_refsource_MISC

https://www.imperva.com/blog/code-execution-in-jupyter-notebook-exports

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.