N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-xjv7-6w92-42r7

EPSS Score

CWE

CWE-441

Published

10/1/2025

Updated

10/1/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-xjv7-6w92-42r7

GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/

Summary

The /mpl/<port>/<route> endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.

Details

This route is used internally to provide access to interactive matplotlib visualizations. marimo/marimo/_server/main.py at main · marimo-team/marimo This endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified <port> and <route>.

The existence of this proxy is visible in the application's code (marimo/_server/main.py), but there's no official documentation or warning about its behavior or potential risks.

Impact

CWE-441: Proxying Without Authentication

This vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.

Full Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.

Exposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:

Old CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.

phpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.

RPCMapper: Can be used for network reconnaissance and enumerating services.

While you’d hope people wouldn’t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn't limited to a few isolated cases but is a widespread issue affecting production environments.

===

Notes, this was discovered by devgi. I (acepace) followed up and also created this report.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-xjv7-6w92-42r7

GHSA-xjv7-6w92-42r7:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-xjv7-6w92-42r7

EPSS Score

CWE

CWE-441

Published

10/1/2025

Updated

10/1/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
marimo	pip	> 0.9.20, < 0.16.4	0.16.4

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, identified as GHSA-xjv7-6w92-42r7, is a proxy abuse issue in the /mpl/{port}/ endpoint of the marimo package. My analysis of the provided patch commit 0312706d5e594acdb405209b2c8d87c98f46b22b confirms this.

The root cause of the vulnerability was the _create_mpl_proxy_middleware function in marimo/_server/main.py. This function set up a proxy that forwarded requests made to /mpl/<port>/... to http://localhost:<port>/.... The critical flaw was in the nested mpl_target_url function, which extracted the port number directly from the URL path without any authentication or validation. This allowed an unauthenticated attacker to craft requests to arbitrary ports on the machine running the marimo server, potentially accessing sensitive internal services.

The patch addresses this vulnerability by completely removing the _create_mpl_proxy_middleware function and its associated middleware from the application setup in create_starlette_app. It replaces this functionality with a new, more secure routing mechanism defined in marimo/_server/api/endpoints/mpl.py. The new implementation uses a dictionary figure_endpoints to map a figure number to a legitimate port, preventing attackers from specifying arbitrary ports in the URL. The new _mpl_handler function now checks if a requested figure number is authorized before proxying the request.

Based on this analysis, the primary vulnerable function that would appear in a runtime profile during exploitation is the mpl_target_url function, which is nested within _create_mpl_proxy_middleware. The _create_mpl_proxy_middleware function itself is the source of the vulnerability as it is responsible for creating and configuring the insecure proxy middleware.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/

Summary

Details

Impact

GHSA-xjv7-6w92-42r7:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability Intelligence
Miggo AI

Detect and Respond To Threats Faster.

N/A

N/A

Technical Details

GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/

Summary

Details

Impact

Basic Information

Basic Information

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/

Summary

Details

Impact

GHSA-xjv7-6w92-42r7:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

Vulnerability IntelligenceMiggo AI

N/A

N/A

Technical Details

GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/

Summary

Details

Impact

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI