Nixpkgs security tracker
marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSocket endpoints (e.g., /ws) that correctly call validate_auth() for authentication, the /terminal/ws endpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification. This vulnerability is fixed in 0.23.0.
References
-
https://github.com/marimo-team/marimo/security/advisories/GHSA-2679-6mx9-h9xc x_refsource_CONFIRM
-
https://github.com/marimo-team/marimo/pull/9098 x_refsource_MISC
Affected products
- ==< 0.23.0
Matching in nixpkgs
pkgs.marimo
Reactive Python notebook that's reproducible, git-friendly, and deployable as scripts or apps
pkgs.python312Packages.marimo
Reactive Python notebook that's reproducible, git-friendly, and deployable as scripts or apps
pkgs.python313Packages.marimo
Reactive Python notebook that's reproducible, git-friendly, and deployable as scripts or apps
pkgs.python314Packages.marimo
Reactive Python notebook that's reproducible, git-friendly, and deployable as scripts or apps
Package maintainers
-
@dmadisetti Dylan Madisetti <nix@madisetti.me>
-
@akshayka Akshay Agrawal