CVE-2025-30370

Name of the Vulnerable Software and Affected Versions jupyterlab-git versions prior to 0.51.1

Description The issue arises when a user opens a maliciously named Git repository in jupyterlab-git and clicks "Git > Open Git Repository in Terminal" from the menu bar. This action can lead to the execution of injected commands in the user's shell without permission. The problem occurs because jupyterlab-git runs cd <git-repo-path> through the shell to set the current directory, which can execute command substitution strings present in the directory name. A previous patch did not fully address the issue.

Recommendations For versions prior to 0.51.1, update to version 0.51.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the "Git > Open Git Repository in Terminal" menu entry until the update is applied. Restrict access to maliciously named Git repositories to minimize the risk of exploitation.