A critical pre-authentication remote code execution vulnerability (GHSA-2679-6mx9-h9xc) in marimo’s /terminal/ws WebSocket endpoint allowed unauthenticated attackers to obtain a full interactive shell on exposed instances. Sysdig TRT observed exploitation 9 hours and 41 minutes after disclosure and a complete credential theft (reading a .env file with AWS keys) in under three minutes, showing rapid weaponization of niche software advisories. #marimo #GHSA-2679-6mx9-h9xc
Keypoints
- GHSA-2679-6mx9-h9xc is a pre-authentication RCE in marimo versions 0.20.4 and earlier that exposes an interactive PTY via the /terminal/ws WebSocket endpoint.
- The advisory named the affected endpoint and lack of authentication, enabling trivial exploitation without a public PoC or CVE at the time of attacks.
- Sysdig TRT baited vulnerable honeypots and recorded the first exploit attempt 9h41m after disclosure, with credential theft completed in under three minutes.
- The attacker used a short scripted PoC to validate access (echo markers + id), then performed manual reconnaissance and targeted the .env file to harvest AWS credentials.
- The operator’s behavior indicates a methodical human workflow (scripted validation, focused objectives, multiple return sessions) rather than a simple automated scanner.
- Recommendations: upgrade marimo to 0.23.0, restrict or disable /terminal/ws, rotate exposed credentials, restrict network access, and monitor WebSocket connections to the terminal endpoint.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – The attacker gained access by connecting to an unauthenticated WebSocket endpoint: ‘…the terminal endpoint skips this check entirely, accepting connections from any unauthenticated user and granting a full interactive shell…’
- [T1059 ] Command and Scripting Interpreter – The operator executed shell commands via the interactive terminal to validate and explore the environment: ‘echo ‘—POC-START—‘ id echo ‘—POC-END—”
- [T1082 ] System Information Discovery – The attacker enumerated system context and identity using commands like ‘whoami’ and ‘pwd’: ‘whoami → marimo’ and ‘pwd → /app/marimo’
- [T1016 ] System Network Configuration Discovery – Network interface enumeration was attempted (e.g., ‘ip addr’) to discover network details: ‘They also tried ipaddr (likely meaning ip addr) to enumerate network interfaces.’
- [T1552.001 ] Credentials in Files – The attacker read configuration and environment files to harvest secrets, notably the .env containing AWS keys: ‘cat .env → … AWS_ACCESS_KEY_ID=AKIA01FB…’
- [T1005 ] Data from Local System – The attacker collected local files of interest by reading files in the app directory (docker-compose.yml, celerybeat-schedule, logs): ‘They then methodically attempted to read every file in the directory: cat data cat docker-compose.yml cat celerybeat-schedule…’
Indicators of Compromise
- [IP Address ] exploitation source – 49.207.56.74 (observed performing WebSocket terminal exploitation and credential theft)
- [Endpoint Path ] vulnerable WebSocket endpoint – /terminal/ws (unauthenticated PTY access targeted by attacker)
- [File Name ] credential and config files accessed – .env (contained AWS_ACCESS_KEY_ID=AKIA01FB…), docker-compose.yml (and other files in the app directory)
- [Advisory/Identifier ] vulnerability advisory and fix reference – GHSA-2679-6mx9-h9xc; fix released in marimo v0.23.0 via PR #9098
- [Software Version ] affected versions – marimo 0.20.4 and earlier (update to 0.23.0 or later advised)