GHSA-XJV7-6W92-42R7

Vulnerability from github – Published: 2025-10-01 21:20 – Updated: 2025-11-20 17:20
VLAI
Summary
marimo vulnerable to proxy abuse of /mpl/{port}/
Details

Summary

The /mpl/<port>/<route> endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.

Details

From our understanding, this route is used internally to provide access to interactive matplotlib visualizations. marimo/marimo/_server/main.py at main · marimo-team/marimo This endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified <port> and <route>.

The existence of this proxy is visible in the application's code (marimo/_server/main.py), but there's no official documentation or warning about its behavior or potential risks.

Impact

CWE-441: Proxying Without Authentication

This vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.

Full Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.

Exposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:

Old CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.

phpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.

RPCMapper: Can be used for network reconnaissance and enumerating services.

While you’d hope people wouldn’t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn't limited to a few isolated cases but is a widespread issue affecting production environments.

===

Notes, this was discovered by devgi. I (acepace) followed up and also created this report.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "marimo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.20"
            },
            {
              "fixed": "0.16.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-441"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-01T21:20:11Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe  `/mpl/\u003cport\u003e/\u003croute\u003e` endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports. \n\n### Details\nFrom our understanding, this route is used internally to provide access to interactive matplotlib visualizations.\n[marimo/marimo/_server/main.py at main \u00b7 marimo-team/marimo](https://github.com/marimo-team/marimo/blob/main/marimo/_server/main.py) \nThis endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified `\u003cport\u003e` and `\u003croute\u003e`.\n\nThe existence of this proxy is visible in the application\u0027s code (marimo/_server/main.py), but there\u0027s no official documentation or warning about its behavior or potential risks.\n\n\n### Impact\nCWE-441: Proxying Without Authentication\n\nThis vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.\n\nFull Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.\n\nExposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:\n\nOld CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.\n\nphpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.\n\nRPCMapper: Can be used for network reconnaissance and enumerating services.\n\nWhile you\u2019d hope people wouldn\u2019t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn\u0027t limited to a few isolated cases but is a widespread issue affecting production environments.\n\n===\n\nNotes, this was discovered by [devgi](https://github.com/devgi). I ([acepace](https://github.com/acepace)) followed up and also created this report.",
  "id": "GHSA-xjv7-6w92-42r7",
  "modified": "2025-11-20T17:20:23Z",
  "published": "2025-10-01T21:20:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/security/advisories/GHSA-xjv7-6w92-42r7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/commit/0312706d5e594acdb405209b2c8d87c98f46b22b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/marimo-team/marimo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/releases/tag/0.16.4"
    },
    {
      "type": "WEB",
      "url": "https://marimo-team.notion.site/cve-proxy-without-authentication"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "marimo vulnerable to proxy abuse of /mpl/{port}/"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…