{"url":"http://public2.vulnerablecode.io/api/packages/791933?format=json","purl":"pkg:pypi/jupyterlab-git@0.50.0","type":"pypi","namespace":"","name":"jupyterlab-git","version":"0.50.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"0.51.1","latest_non_vulnerable_version":"0.51.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/89674?format=json","vulnerability_id":"VCID-eae1-gh7s-gbd2","summary":"jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $(<command>). These directory names are allowed in macOS and a majority of Linux distributions. If a user starts jupyter-lab in a parent directory of this inappropriately-named Git repository, opens it, and clicks \"Git > Open Git Repository in Terminal\" from the menu bar, then the injected command <command> is run in the user's shell without the user's permission. This issue is occurring because when that menu entry is clicked, jupyterlab-git opens the terminal and runs cd <git-repo-path> through the shell to set the current directory. Doing so runs any command substitution strings present in the directory name, which leads to the command injection issue described here. A previous patch provided an incomplete fix. This vulnerability is fixed in 0.51.1.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30370.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-30370.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30370","reference_id":"","reference_type":"","scores":[{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28662","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00107","scoring_system":"epss","scoring_elements":"0.28466","published_at":"2026-06-11T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-30370"},{"reference_url":"https://github.com/jupyterlab/jupyterlab-git","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/jupyterlab/jupyterlab-git"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30370","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-30370"},{"reference_url":"https://github.com/jupyterlab/jupyterlab-git/pull/1196","reference_id":"1196","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-04T18:35:51Z/"}],"url":"https://github.com/jupyterlab/jupyterlab-git/pull/1196"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2357342","reference_id":"2357342","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2357342"},{"reference_url":"https://github.com/jupyterlab/jupyterlab-git/commit/b46482993f76d3a546015c6a94ebed8b77fc2376","reference_id":"b46482993f76d3a546015c6a94ebed8b77fc2376","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-04T18:35:51Z/"}],"url":"https://github.com/jupyterlab/jupyterlab-git/commit/b46482993f76d3a546015c6a94ebed8b77fc2376"},{"reference_url":"https://github.com/jupyterlab/jupyterlab-git/blob/7eb3b06f0092223bd5494688ec264527bbeb2195/src/commandsAndMenu.tsx#L175-L184","reference_id":"commandsAndMenu.tsx#L175-L184","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-04T18:35:51Z/"}],"url":"https://github.com/jupyterlab/jupyterlab-git/blob/7eb3b06f0092223bd5494688ec264527bbeb2195/src/commandsAndMenu.tsx#L175-L184"},{"reference_url":"https://github.com/advisories/GHSA-cj5w-8mjf-r5f8","reference_id":"GHSA-cj5w-8mjf-r5f8","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-cj5w-8mjf-r5f8"},{"reference_url":"https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-cj5w-8mjf-r5f8","reference_id":"GHSA-cj5w-8mjf-r5f8","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-04-04T18:35:51Z/"}],"url":"https://github.com/jupyterlab/jupyterlab-git/security/advisories/GHSA-cj5w-8mjf-r5f8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376492?format=json","purl":"pkg:pypi/jupyterlab-git@0.51.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterlab-git@0.51.1"}],"aliases":["CVE-2025-30370","GHSA-cj5w-8mjf-r5f8"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-eae1-gh7s-gbd2"}],"fixing_vulnerabilities":[],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/jupyterlab-git@0.50.0"}