They notice the version is outdated and explicitly vulnerable to CVE-2021-28079 (though the direct R-code execution is often the easier path).
This vulnerability is documented under tracking frameworks as a Cross-Site Scripting variant (CWE-79) that escalates to local code execution due to underlying node integration privileges. Impact on Academic and Research Environments
The flaw resides in how jamovi handles "column-names" within its Electron-based interface. An attacker can inject a malicious payload into these fields. When a user opens the compromised file, the software executes the embedded scripts, granting the attacker the ability to: Access and exfiltrate sensitive local data. Install backdoors or malware on the host system.
Users often search for "jamovi 0955" because researchers sometimes use (which is open-source and easy to script) as a platform to demonstrate or test other exploits, like the Linux 0995 kernel flaw. Security Takeaway: To stay safe, the jamovi team recommends:
While web-based XSS generally targets remote cloud infrastructure, desktop-based XSS inside an Electron environment presents a different set of risks. The NVD entry for CVE-2021-28079 rates the severity as due to the required user interaction and its scoped execution environment. jamovi 0955 exploit
files from untrusted or anonymous sources, as these are the primary delivery vehicles for this exploit. Use Alternative Tools : If you cannot upgrade, consider using the cloud-based jamovi
Next, the user asked to create a feature for this exploit. But if there isn't a real vulnerability, then creating a feature might not be appropriate. I should consider that the user might want to enhance security features for jamovi, or maybe it's a misunderstanding of a different vulnerability.
Jamovi is built on top of , a framework that allows developers to build desktop applications using web technologies like HTML, CSS, and JavaScript. Electron applications blend web frontend experiences with local system access. If input sanitization fails, this architectural mix introduces critical vulnerabilities.
If a system running jamovi 0.9.5.5 is successfully exploited, the consequences can be severe: They notice the version is outdated and explicitly
: Version 0.9.5.5 is highly outdated. Users should update to the latest version available on the official jamovi download page Avoid Untrusted Files : Do not open
: Version 0.9.5.5 dates back several years. Modern security patches, including the fix for the Electron-based XSS, were only introduced in versions released after April 2021 (Version 1.6.19 and later). Availability of PoCs
The exploit leverages the lack of input sanitization to inject malicious JavaScript code. Because Jamovi runs within an Electron environment, the JavaScript engine has access to Node.js capabilities (depending on the specific configuration of the Electron app).
: Cross-Site Scripting (XSS) leading to potential Remote Code Execution (RCE) via the ElectronJS framework. Affected Versions : jamovi version 1.6.18 and all prior versions, including An attacker can inject a malicious payload into these fields
Rachel and her team worked closely with law enforcement agencies to track down the hackers. After a series of high-stakes operations, they finally managed to apprehend the culprits and dismantle the Nightshade network.
: If an external .omv source is questionable, treat it like an untrusted Microsoft Office Macro document—do not grant execution privileges upon launch.
The main flaw is a vulnerability tracked as CVE-2021-28079 . Here is how a hacker uses it:
As data science tools become more interconnected, new threats emerge: