CVE-2023-35174
📋 TL;DR
CVE-2023-35174 is a remote code execution vulnerability in Livebook Desktop on Windows. Attackers can craft malicious livebook:// links that, when clicked in a browser, open Livebook Desktop and execute arbitrary code on the victim's machine. All Windows users running vulnerable versions of Livebook Desktop are affected.
💻 Affected Systems
- Livebook Desktop
📦 What is this software?
Livebook by Livebook
Livebook by Livebook
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the Windows machine, enabling data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Attacker executes malicious code with the privileges of the Livebook Desktop user, potentially stealing sensitive data, installing malware, or using the system as a foothold for lateral movement.
If Mitigated
If proper controls are in place (patched version, network segmentation, least privilege), impact is limited to the Livebook application scope with minimal system access.
🎯 Exploit Status
Exploitation requires user interaction (clicking a malicious link) but is otherwise straightforward via URI handler manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.8.2 or 0.9.3
Vendor Advisory: https://github.com/livebook-dev/livebook/security/advisories/GHSA-564w-97r7-c6p9
Restart Required: Yes
Instructions:
1. Download Livebook Desktop version 0.8.2 or 0.9.3 from official releases. 2. Uninstall previous version. 3. Install patched version. 4. Restart system.
🔧 Temporary Workarounds
Disable livebook:// URI handler
windowsRemove or modify the Windows registry entry that associates livebook:// links with Livebook Desktop
reg delete "HKCU\Software\Classes\livebook" /f
reg delete "HKLM\Software\Classes\livebook" /f
Browser URL filtering
allConfigure browser extensions or policies to block livebook:// links
🧯 If You Can't Patch
- Run Livebook Desktop with minimal user privileges (not as administrator)
- Use application whitelisting to prevent execution of unauthorized code
🔍 How to Verify
Check if Vulnerable:
Check Livebook Desktop version in application settings or About dialog. If version is below 0.8.2 or 0.9.3, system is vulnerable.Check Version:
livebook --versionVerify Fix Applied:
Confirm Livebook Desktop version is 0.8.2 or 0.9.3 or higher. Test that livebook:// links no longer execute arbitrary code.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing Livebook Desktop execution from browser processes
- Unexpected process creation from Livebook Desktop
Network Indicators:
- HTTP requests to malicious domains following livebook:// link clicks
- Unusual outbound connections from Livebook process
SIEM Query:
Process Creation where (ParentImage contains "browser" OR CommandLine contains "livebook://") AND Image contains "livebook"🔗 References
- https://github.com/livebook-dev/livebook/commit/2e11b59f677c6ed3b6aa82dad412a8b3406ffdf1
- https://github.com/livebook-dev/livebook/commit/beb10daaadcc765f0380e436bd7cd5f74cf086c8
- https://github.com/livebook-dev/livebook/releases/tag/v0.8.2
- https://github.com/livebook-dev/livebook/releases/tag/v0.9.3
- https://github.com/livebook-dev/livebook/security/advisories/GHSA-564w-97r7-c6p9
- https://github.com/livebook-dev/livebook/commit/2e11b59f677c6ed3b6aa82dad412a8b3406ffdf1
- https://github.com/livebook-dev/livebook/commit/beb10daaadcc765f0380e436bd7cd5f74cf086c8
- https://github.com/livebook-dev/livebook/releases/tag/v0.8.2
- https://github.com/livebook-dev/livebook/releases/tag/v0.9.3
- https://github.com/livebook-dev/livebook/security/advisories/GHSA-564w-97r7-c6p9
