VYPR
← All advisories
High severityNVD Advisory· Published Jun 22, 2023· Updated Dec 6, 2024

Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows

CVE-2023-35174

Description

CVE-2023-35174: Livebook Desktop for Windows allows arbitrary code execution via a crafted livebook:// URI from a browser, fixed in versions 0.8.2 and 0.9.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2023-35174: Livebook Desktop for Windows allows arbitrary code execution via a crafted livebook:// URI from a browser, fixed in versions 0.8.2 and 0.9.3.

Vulnerability

Overview

CVE-2023-35174 is a critical vulnerability affecting Livebook Desktop on Windows. Livebook is an open-source web application for writing interactive and collaborative Elixir notebooks [1]. The flaw lies in the handling of the livebook:// protocol handler, which can be invoked from a web browser. An attacker can craft a malicious URI that, when opened by a victim, triggers arbitrary code execution on the Windows machine [2].

Exploitation

Details

Exploitation requires no authentication and can be achieved simply by enticing a user to click a livebook:// link in a browser while Livebook Desktop is installed. The attack surface is particularly dangerous because users expect such links to safely open the Livebook application; instead, the vulnerable handler passes the URI contents directly to execution without sufficient sanitization. The vulnerability is specific to the Windows desktop distribution, as the protocol handler registration on that platform does not properly restrict arguments [2].

Impact

Successful exploitation allows an attacker to execute arbitrary commands or code with the privileges of the logged-in user. This could lead to full compromise of the victim's system, including data theft, installation of malware, or further lateral movement within a network. The CVSS severity is high due to the low attack complexity and minimal user interaction required.

Mitigation

The Livebook project has released patched versions 0.8.2 and 0.9.3 that address this vulnerability [3][4]. Users running Livebook Desktop on Windows should upgrade immediately to one of these fixed versions. No workarounds are documented; users may also consider disabling or unregistering the livebook:// protocol handler until patching is possible [2].

References
  1. GitHub - livebook-dev/livebook: Automate code & data workflows with interactive Elixir notebooks
  2. NVD - CVE-2023-35174
  3. Release v0.9.3 · livebook-dev/livebook
  4. Release v0.8.2 · livebook-dev/livebook

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
livebookHex
>= 0.8.0, < 0.8.20.8.2
livebookHex
>= 0.9.0, < 0.9.30.9.3

Affected products

2

Patches

2
beb10daaadcc

Merge pull request from GHSA-564w-97r7-c6p9

https://github.com/livebook-dev/livebookWojtek MachJun 20, 2023via ghsa
commit
2 files changed · +31 30
  • lib/livebook_app.ex+4 27 modified
    @@ -18,7 +18,10 @@ if Mix.target() == :app do
 
     @impl true
     def handle_info({:event, "open", url}, state) do
-      open(url)
+      url
+      |> Livebook.Utils.expand_desktop_url()
+      |> Livebook.Utils.browser_open()
+
       {:noreply, state}
     end
 
@@ -27,31 +30,5 @@ if Mix.target() == :app do
       Livebook.Config.shutdown()
       {:noreply, state}
     end
-
-    defp open("") do
-      open(LivebookWeb.Endpoint.access_url())
-    end
-
-    defp open("file://" <> path) do
-      path
-      |> Livebook.Utils.notebook_open_url()
-      |> open()
-    end
-
-    defp open("livebook://" <> rest) do
-      "https://#{rest}"
-      |> Livebook.Utils.notebook_import_url()
-      |> open()
-    end
-
-    defp open("/settings") do
-      %{LivebookWeb.Endpoint.access_struct_url() | path: "/settings"}
-      |> to_string()
-      |> open()
-    end
-
-    defp open(url) do
-      Livebook.Utils.browser_open(url)
-    end
   end
 end
  • lib/livebook/utils.ex+27 3 modified
    @@ -307,6 +307,25 @@ defmodule Livebook.Utils do
     "data:#{mime};base64,#{data}"
   end
 
+  @doc """
+  Expands URL received from the Desktop App for opening in the browser.
+  """
+  def expand_desktop_url("") do
+    LivebookWeb.Endpoint.access_url()
+  end
+
+  def expand_desktop_url("/settings") do
+    to_string(%{LivebookWeb.Endpoint.access_struct_url() | path: "/settings"})
+  end
+
+  def expand_desktop_url("file://" <> path) do
+    notebook_open_url(path)
+  end
+
+  def expand_desktop_url("livebook://" <> rest) do
+    notebook_import_url("https://#{rest}")
+  end
+
   @doc """
   Opens the given `url` in the browser.
   """
@@ -323,10 +342,15 @@ defmodule Livebook.Utils do
 
         {:unix, _} ->
           cond do
-            System.find_executable("xdg-open") -> {"xdg-open", [url]}
+            System.find_executable("xdg-open") ->
+              {"xdg-open", [url]}
+
             # When inside WSL
-            System.find_executable("cmd.exe") -> {"cmd.exe", win_cmd_args}
-            true -> nil
+            System.find_executable("cmd.exe") ->
+              {"cmd.exe", win_cmd_args}
+
+            true ->
+              nil
           end
       end
2e11b59f677c

Merge pull request from GHSA-564w-97r7-c6p9

https://github.com/livebook-dev/livebookWojtek MachJun 20, 2023via ghsa
commit
2 files changed · +31 24
  • lib/livebook_app.ex+4 21 modified
    @@ -15,7 +15,10 @@ if Mix.target() == :app do
 
     @impl true
     def handle_info({:event, "open", url}, state) do
-      open(url)
+      url
+      |> Livebook.Utils.expand_desktop_url()
+      |> Livebook.Utils.browser_open()
+
       {:noreply, state}
     end
 
@@ -24,25 +27,5 @@ if Mix.target() == :app do
       Livebook.Config.shutdown()
       {:noreply, state}
     end
-
-    defp open("") do
-      open(LivebookWeb.Endpoint.access_url())
-    end
-
-    defp open("file://" <> path) do
-      path
-      |> Livebook.Utils.notebook_open_url()
-      |> open()
-    end
-
-    defp open("livebook://" <> rest) do
-      "https://#{rest}"
-      |> Livebook.Utils.notebook_import_url()
-      |> open()
-    end
-
-    defp open(url) do
-      Livebook.Utils.browser_open(url)
-    end
   end
 end
  • lib/livebook/utils.ex+27 3 modified
    @@ -300,6 +300,25 @@ defmodule Livebook.Utils do
     "data:#{mime};base64,#{data}"
   end
 
+  @doc """
+  Expands URL received from the Desktop App for opening in the browser.
+  """
+  def expand_desktop_url("") do
+    LivebookWeb.Endpoint.access_url()
+  end
+
+  def expand_desktop_url("/settings") do
+    to_string(%{LivebookWeb.Endpoint.access_struct_url() | path: "/settings"})
+  end
+
+  def expand_desktop_url("file://" <> path) do
+    notebook_open_url(path)
+  end
+
+  def expand_desktop_url("livebook://" <> rest) do
+    notebook_import_url("https://#{rest}")
+  end
+
   @doc """
   Opens the given `url` in the browser.
   """
@@ -316,10 +335,15 @@ defmodule Livebook.Utils do
 
         {:unix, _} ->
           cond do
-            System.find_executable("xdg-open") -> {"xdg-open", [url]}
+            System.find_executable("xdg-open") ->
+              {"xdg-open", [url]}
+
             # When inside WSL
-            System.find_executable("cmd.exe") -> {"cmd.exe", win_cmd_args}
-            true -> nil
+            System.find_executable("cmd.exe") ->
+              {"cmd.exe", win_cmd_args}
+
+            true ->
+              nil
           end
       end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.