marimo < 0.23.9 XSS via file Query Parameter in assets.py
Description
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with __new__ to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim's marimo server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <0.23.9
Patches
Vulnerability mechanics
Root cause
"Missing escaping of single quotes in the user-controlled `file_key` parameter when interpolated into an inline JavaScript string literal allows reflected XSS."
Attack vector
An unauthenticated attacker crafts a malicious link containing a `file` query parameter that starts with `__new__` (to bypass the 404 check) and includes a single-quote-termination payload such as `'-alert(document.domain)-'`. When a victim visits this link, the server reflects the payload into an inline `<script>` block as `const notebookId = '__new__'-alert(document.domain)-'';`, breaking out of the string literal and executing arbitrary JavaScript in the origin of the marimo server. No Content-Security-Policy restrictions apply because the script is inline and same-origin. [ref_id=1]
Affected code
The vulnerability is in `marimo/_server/api/endpoints/assets.py` in the `_inject_service_worker` function. The `file_key` parameter, which is user-controlled via the `file` query parameter, was interpolated directly into a JavaScript string literal using single quotes without escaping. The patch changes the interpolation to use `json_script()` which emits a double-quoted JSON string literal, preventing injection.
What the fix does
The patch replaces the single-quoted string interpolation `'{uri_encode_component(file_key)}'` with `{json_script(uri_encode_component(file_key))}`. The `json_script()` helper emits the value as a properly escaped JSON string literal using double quotes, so any embedded single quotes or `</script>` sequences are neutralized. The test `test_inject_service_worker_escapes_file_key` confirms that a payload containing single quotes no longer breaks out of the string literal and that `</script>` sequences are also sanitized. [patch_id=6466808]
Preconditions
- inputThe attacker must craft a URL with a `file` query parameter that starts with `__new__` and contains a JavaScript injection payload.
- networkThe victim must click or navigate to the crafted link while authenticated to (or simply able to reach) the marimo server.
Generated on Jun 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/marimo-team/marimo/commit/fdd55c8cf6260ae23bb411dc9d9269def5cf75d6mitrepatch
- www.vulncheck.com/advisories/marimo-xss-via-file-query-parameter-in-assets-pymitrethird-party-advisory
- github.com/marimo-team/marimo/pull/9789mitreissue-tracking
- github.com/marimo-team/marimo/releases/tag/0.23.9mitrerelease-notes
News mentions
0No linked articles in our index yet.