Summary
MarbleRun unauthenticated recovery allows Coordinator impersonation
Workarounds
Connections that purely authenticate based on a known Coordinator's root certificate, e.g. the one retrieved when using the marblerun manifest set CLI command, are not affected.
Impact
During recovery, a Coordinator only verifies that a given recovery key decrypts the sealed state, not if this key was provided by a party with access to one of the recovery keys defined in the manifest.
This allows an attacker to manually craft a sealed state using their own recovery keys, and a manifest that does not match the rest of the state.
If network traffic is redirected from the legitimate coordinator to the attacker's Coordinator, a remote party is susceptible to impersonation if they verify the Coordinator without comparing the root certificate of the Coordinator against a trusted reference.
Under these circumstances, an attacker can trick a remote party into trusting the malicious Coordinator by presenting a manifest that does not match the actual state of the deployment.
This issue does not affect the following:
- secrets and state of the legitimate Coordinator instances
- integrity of workloads
- certificates chaining back to the legitimate Coordinator root certificate
GHSA-W7WM-2425-7P2H has a CVSS score of 7.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.7.0); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
The issue has been patched in v1.7.0.
Frequently Asked Questions
- What is GHSA-W7WM-2425-7P2H? GHSA-W7WM-2425-7P2H is a high-severity security vulnerability in github.com/edgelesssys/marblerun (go), affecting versions < 1.7.0. It is fixed in 1.7.0.
- How severe is GHSA-W7WM-2425-7P2H? GHSA-W7WM-2425-7P2H has a CVSS score of 7.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/edgelesssys/marblerun are affected by GHSA-W7WM-2425-7P2H? github.com/edgelesssys/marblerun (go) versions < 1.7.0 is affected.
- Is there a fix for GHSA-W7WM-2425-7P2H? Yes. GHSA-W7WM-2425-7P2H is fixed in 1.7.0. Upgrade to this version or later.
- Is GHSA-W7WM-2425-7P2H exploitable, and should I be worried? Whether GHSA-W7WM-2425-7P2H is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-W7WM-2425-7P2H is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-W7WM-2425-7P2H? Upgrade
github.com/edgelesssys/marblerunto 1.7.0 or later.