On the attacker’s machine: nc -lvnp 443 After the R code runs, a reverse shell is obtained on the server, often as root inside the container.
This vulnerability is documented under tracking frameworks as a Cross-Site Scripting variant (CWE-79) that escalates to local code execution due to underlying node integration privileges. Impact on Academic and Research Environments
: Sandboxed R Script Execution
Exploiting an unpatched Jamovi 0.9.5.5 instance requires minimal effort but relies heavily on social engineering.
The root weakness resides in the Jamovi omv Document Handler. When Jamovi parses a .omv data sheet, it does not correctly neutralize or escape the text strings assigned to column headers. This lack of proper input validation gives rise to a classic CWE-79 (Cross-Site Scripting) exposure inside a desktop software context. 2. The Bridge to the OS: NodeJS Integration jamovi 0955 exploit
Turn off development modes or custom plugins unless strictly monitored, as R integration blocks can introduce separate file-system risks. 3. Endpoint Monitoring and Rules
and narrowing the scope of what the server could execute without explicit user consent.
However, the community also rallied around the developers, acknowledging their swift response to the vulnerability and their commitment to transparency. Many users praised the developers for their openness and willingness to engage with the community to resolve the issue.
: If Jamovi prompts you with an alert stating that a file contains custom R code or external scripts, do not permit execution unless you have verified every line of code yourself. On the attacker’s machine: nc -lvnp 443 After
Affects versions ≤ 1.6.18; allows malicious payloads via column names. HTB Scenario
: Because older versions (including 0.9.5.5) are technically within the range of versions affected by later-discovered XSS vulnerabilities, you should upgrade to the latest Solid or Current release .
: The vulnerability triggers when an unsuspecting victim opens the compromised .omv document using an unpatched version of jamovi. The application parses the data, loads the column name, and executes the embedded script in the victim’s local application context. Technical and Operational Impact
In addition to XSS bugs embedded in column names, Jamovi users face an inherent risk when handling shared files due to the app's advanced features. Jamovi includes an advanced module called the , which allows users to write and run native R code directly inside the application. The root weakness resides in the Jamovi omv Document Handler
: The column name renders, the JavaScript executes via Electron, and the attacker gains an initial foothold on the victim's operating system.
Statistical software exploits pose distinct risks to university settings and enterprise data centers.
Jamovi allows users to execute raw R code through the Rj Editor module. While powerful, running arbitrary code from untrusted files introduces risks similar to macro-based malware in Microsoft Excel.