N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-xjv7-6w92-42r7

EPSS Score

CWE

CWE-441

Published

10/1/2025

Updated

10/1/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-xjv7-6w92-42r7

GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/

Summary

The /mpl/<port>/<route> endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.

Details

This route is used internally to provide access to interactive matplotlib visualizations. marimo/marimo/_server/main.py at main · marimo-team/marimo This endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified <port> and <route>.

The existence of this proxy is visible in the application's code (marimo/_server/main.py), but there's no official documentation or warning about its behavior or potential risks.

Impact

CWE-441: Proxying Without Authentication

This vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.

Full Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.

Exposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:

Old CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.

phpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.

RPCMapper: Can be used for network reconnaissance and enumerating services.

While you’d hope people wouldn’t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn't limited to a few isolated cases but is a widespread issue affecting production environments.

===

Notes, this was discovered by devgi. I (acepace) followed up and also created this report.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-xjv7-6w92-42r7

EPSS Score

CWE

CWE-441

Published

10/1/2025

Updated

10/1/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
marimo	pip	> 0.9.20, < 0.16.4	0.16.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-xjv7-6w92-42r7, is a proxy abuse issue in the /mpl/{port}/ endpoint of the marimo package. My analysis of the provided patch commit 0312706d5e594acdb405209b2c8d87c98f46b22b confirms this.

The root cause of the vulnerability was the _create_mpl_proxy_middleware function in marimo/_server/main.py. This function set up a proxy that forwarded requests made to /mpl/<port>/... to http://localhost:<port>/.... The critical flaw was in the nested mpl_target_url function, which extracted the port number directly from the URL path without any authentication or validation. This allowed an unauthenticated attacker to craft requests to arbitrary ports on the machine running the marimo server, potentially accessing sensitive internal services.

The patch addresses this vulnerability by completely removing the _create_mpl_proxy_middleware function and its associated middleware from the application setup in create_starlette_app. It replaces this functionality with a new, more secure routing mechanism defined in marimo/_server/api/endpoints/mpl.py. The new implementation uses a dictionary figure_endpoints to map a figure number to a legitimate port, preventing attackers from specifying arbitrary ports in the URL. The new _mpl_handler function now checks if a requested figure number is authorized before proxying the request.

Based on this analysis, the primary vulnerable function that would appear in a runtime profile during exploitation is the mpl_target_url function, which is nested within _create_mpl_proxy_middleware. The _create_mpl_proxy_middleware function itself is the source of the vulnerability as it is responsible for creating and configuring the insecure proxy middleware.

Vulnerable functions

_create_mpl_proxy_middleware

marimo/_server/main.py

This function creates and configures a `ProxyMiddleware` for the `/mpl` endpoint. The vulnerability lies within the nested `mpl_target_url` function, which is passed as the `target_url` argument to the middleware. This nested function extracts a port number directly from the request path and uses it to construct a target URL to `localhost`. Since there is no validation of the port number, an attacker can specify any port on the local machine, allowing them to proxy requests to internal services that are not intended to be publicly accessible.

mpl_target_url

marimo/_server/main.py

This nested function is the runtime indicator of the vulnerability. During an exploit attempt, this function is called by the `ProxyMiddleware` to determine the target URL for the proxy. It parses the request path, extracts the port number without any validation, and returns a target URL pointing to `http://localhost:{port}`. This allows an attacker to scan and interact with any open port on the local machine where the marimo server is running. A profiler would likely show this function (or a reference to it, like `_create_mpl_proxy_middleware.<locals>.mpl_target_url`) in the stack trace when the vulnerable endpoint is accessed.

WAF Protection Rules

WAF Rule

### Summ*ry T** `/mpl/<port>/<rout*>` *n*point, w*i** is ****ssi*l* wit*out *ut**nti**tion on ****ult M*rimo inst*ll*tions *llows *or *xt*rn*l *tt**k*rs to r**** int*rn*l s*rvi**s *n* *r*itr*ry ports. ### **t*ils T*is rout* is us** int*rn*lly to p

Reasoning

T** vuln*r**ility, i**nti*i** *s **S*-xjv*-*w**-**r*, is * proxy **us* issu* in t** `/mpl/{port}/` *n*point o* t** `m*rimo` p**k***. My *n*lysis o* t** provi*** p*t** *ommit `****************************************` *on*irms t*is. T** root **us* o*

N/A

Basic Information

Concerned about an active attack path?

GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/

Summary

Details

Impact

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI