Kritische Sicherheitslücke in Marimo ermöglicht Remote-Code-Execution-Angriffe

Security researchers warn that the vulnerability is already being weaponized to deploy NKAbuse malware, with payloads hosted Hugging Face Spaces, an increasingly popular platform for sharing AI tools and machine learning applications. Marimo Security Vulnerability The issue affects Marimo versions ≤ 0.22.x concerning the /terminal/ws WebSocket endpoint.

Due to improper access control, the endpoint accepts unauthenticated connections. It directly launches a pseudo-terminal (PTY) session using pty.fork(). Unlike other protected endpoints, /terminal/ws lacks authentication enforcement, creating a critical security gap.

The issue stems from missing access control checks in the WebSocket handler: @router.websocket("/terminal/ws") async def websocket_endpoint(websocket: WebSocket) -> None: await websocket.accept() child_pid, fd = pty.fork() # Spawns system shell Once connected, attackers gain interactive shell access and can execute arbitrary commands on the host system.

Technik und Auswirkungen

Marimo is widely used as a modern alternative Jupyter Notebook, particularly in: AI and machine learning prototyping. Data science experiments. Internal analytics dashboards. Research and engineering workflows.

These environments often run in containers or cloud infrastructure, with access to sensitive resources such as API keys, databases, and internal services. Because Marimo executes real Python code and interacts directly with the system, exploitation of this flaw leads to immediate and complete compromise.

A basic Python exploit looks like this: import websocket ws = websocket.WebSocket() ws.connect("ws://target:2718/terminal/ws") ws.send("id\n") print(ws.recv()) ws.close() According Resecurity, exploitation is straightforward and requires no authentication. The attacker connects to ws://target:2718/terminal/ws.

Technischer Hintergrund

The server accepts the connection without validating identity. A PTY-backed shell is spawned on the system. The attacker executes commands such as whoami and id, or runs data-extraction scripts. This effectively turns the vulnerable instance into a remotely accessible terminal.

Threat actors are leveraging the flaw to deliver NKAbuse malware, pulling payloads from Hugging Face-hosted repositories. This highlights a growing trend where legitimate AI platforms are abused to distribute malicious tools, blending into normal developer activity. Successful exploitation can result in: Full system compromise via pre-auth RCE.

Exposure of sensitive data including.env files, API keys, and credentials. Lateral movement across internal networks. Persistence through cron jobs or startup scripts. Container escape or host-level compromise in misconfigured environments. Theft of proprietary AI models and datasets.

Einordnung fuer Autofahrer

Because Marimo instances often sit within trusted environments, a single breach can escalate into a broader infrastructure incident. The vulnerability arises from a flawed WebSocket security model. While Marimo uses authentication middleware, it does not enforce endpoint-level access control.

As a result: /ws endpoint → properly protected. /terminal/ws endpoint → no authentication checks. This inconsistency creates an authentication bypass, exposing dangerous functionality directly to attackers. Mitigation and Recommendations Organizations are urged to take immediate action: Upgrade Marimo 0.23.0 or later.

Avoid exposing instances to public networks. Restrict access using VPNs or authenticated reverse proxies. Run containers as non-root and limit privileges. Rotate secrets and remove sensitive data from notebook environments. Monitor for suspicious WebSocket activity and shell spawning behavior.

Security teams should assume potential compromise

Security teams should assume potential compromise and proactively hunt for persistence mechanisms or unusual lateral movement. This vulnerability underscores a critical lesson: WebSocket endpoints require explicit authentication enforcement.

In high-risk environments like AI and data science platforms, even a single oversight can open the door to full system takeover. Abi is Security Editor and fellow reporter with