Technical description
A pre-authenticated remote code execution vulnerability in Marimo, a reactive Python notebook popular in AI/ML development. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing unauthenticated attackers to execute arbitrary commands on the server.
Attack vector
An attacker connects to the unprotected /terminal/ws WebSocket endpoint without authentication and executes arbitrary system commands. The Sysdig Threat Research Team observed the first exploitation attempt 9 hours 41 minutes after advisory publication, with attackers building exploits directly from the advisory.
Affected systems
Marimo versions ≤ 0.20.4. Compromised environments typically expose credentials for OpenAI, Anthropic, and Google LLM APIs, as well as broader AI infrastructure access.
Mitigation
Update to Marimo version 0.23.0 immediately. Audit any Marimo instances exposed to the network for signs of compromise. Rotate all API keys and credentials accessible from Marimo environments.