Marimo Under Fire: Mitigating the Pre-Auth RCE in Data Science Stacks
Just caught the BleepingComputer report on CVE-2024-39638. It looks like threat actors are actively exploiting a pre-authentication RCE in Marimo (the reactive Python notebook alternative). Since these tools are often exposed for team collaboration, the attack surface is wider than we'd like.
The vulnerability allows attackers to execute arbitrary Python code without credentials, primarily used for credential theft right now. If you're hosting Marimo instances—especially on the public internet—you need to patch immediately.
Here is a quick command to verify your installed version:
pip show marimo
Ensure you are running a patched version (check the vendor advisory). If you are responsible for detection, keep an eye out for unexpected child processes spawned by the Marimo parent Python process, specifically shells or network tools.
Here is a basic KQL query for hunting via Microsoft Defender:
DeviceProcessEvents
| where InitiatingProcessFileName has "python"
| where FileName in~ ("cmd.exe", "powershell.exe", "sh", "bash")
| where ProcessCommandLine has "marimo"
For those managing data science environments, are you treating notebook servers as production workloads regarding patch cadence, or do they usually lag behind?
We treat any notebook server (Jupyter, Marimo, etc.) as inherently hostile. We never expose them directly to the internet. Instead, we force all access through an authenticated reverse proxy (like Authelia + Nginx) and run the container in a rootless, non-networking-privileged mode.
If an attacker pops the RCE, they are stuck in a jailed container with no internet access to exfil data. Defense in depth is key here because these apps are written by data scientists, not security engineers.
Good catch on the KQL. I'd add that you should monitor for unusual outbound connections on port 2718 if you have internal scanners, but more importantly, look for the usage of curl or wget spawned by the notebook process.
pgrep -f "marimo" | xargs -I {} lsof -p {} | grep -E '(TCP|UDP)'
If you see that hitting external IPs, assume compromise.
Beyond the network controls Viktor mentioned, ensure your Marimo instances aren't running with excessive privileges. If the RCE executes as root or a user with access to cloud metadata services, the damage escalates quickly. Verify your deployment version immediately:
pip show marimo
If you're on a version below `0.8.1`, upgrade immediately. Restricting the service account to read-only access where possible also limits the blast radius of credential theft.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access