Technical description
Marimo <0.23.0 exposes an unauthenticated terminal WebSocket endpoint, enabling unauthenticated remote code execution on hosts running notebooks — common in AI/ML development workflows.
Attack vector
Network, low complexity. Attacker connects to the exposed WebSocket and issues shell commands.
Affected systems
Marimo <0.23.0 with network-reachable WebSocket endpoints.
Mitigation
Upgrade to 0.23.0+. Restrict WebSocket access; segment dev environments; monitor anomalous WebSocket connections.