Skip to content

Update dependency nbconvert to v7.17.0 [SECURITY]#519

Merged
JohT merged 1 commit intomainfrom
renovate/pypi-nbconvert-vulnerability
Mar 1, 2026
Merged

Update dependency nbconvert to v7.17.0 [SECURITY]#519
JohT merged 1 commit intomainfrom
renovate/pypi-nbconvert-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Feb 10, 2026

This PR contains the following updates:

Package Change Age Confidence
nbconvert ==7.16.6==7.17.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-53000

Summary

On Windows, converting a notebook containing SVG output to a PDF results in unauthorized code execution. Specifically, a third party can create a inkscape.bat file that defines a Windows batch script, capable of arbitrary code execution.

When a user runs jupyter nbconvert --to pdf on a notebook containing SVG output to a PDF on a Windows platform from this directory, the inkscape.bat file is run unexpectedly.

Details

Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.

nbconvert searches for an inkscape executable when converting notebooks to PDFs here: https://github.com/jupyter/nbconvert/blob/4f61702f5c7524d8a3c4ac0d5fc33a6ac2fa36a7/nbconvert/preprocessors/svg2pdf.py#L104

The MITRE page on CWE-427 (Uncontrolled Search Path Element) summarizes the root cause succinctly:

In Windows-based systems, when the LoadLibrary or LoadLibraryEx function is called with a DLL name that does not contain a fully qualified path, the function follows a search order that includes two path elements that might be uncontrolled:

  • the directory from which the program has been loaded
  • the current working directory

PoC

Complete instructions, including specific configuration details, to reproduce the vulnerability.

  1. Create a directory containing:

    • A hidden bat file called inkscape.bat containing msg * "You've been hacked!"

    • A dummy ipynb file called Machine_Learning.ipynb

  2. Run the command jupyter nbconvert --to pdf Machine_Learning.ipynb.

  3. Wait a few seconds, and you should see a popup showing the message "You've been hacked!"

Impact

All Windows users.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@JohT JohT force-pushed the renovate/pypi-nbconvert-vulnerability branch from 49932c9 to 309c73c Compare February 12, 2026 06:56
@renovate renovate Bot force-pushed the renovate/pypi-nbconvert-vulnerability branch from 309c73c to 9740198 Compare February 12, 2026 15:59
@JohT JohT force-pushed the renovate/pypi-nbconvert-vulnerability branch from 9740198 to 84b52b0 Compare March 1, 2026 11:03
@renovate renovate Bot force-pushed the renovate/pypi-nbconvert-vulnerability branch from 84b52b0 to 2ecd771 Compare March 1, 2026 11:56
@JohT JohT merged commit 22720c1 into main Mar 1, 2026
7 checks passed
@JohT JohT deleted the renovate/pypi-nbconvert-vulnerability branch March 1, 2026 12:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JohT