GHSA-xjv7-6w92-42r7
marimo vulnerable to proxy abuse of /mpl/{port}/
Blast Radius
marimoReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects PyPI packages — download data is not available via public APIs for these ecosystems.
Description
Summary
The /mpl/<port>/<route> endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.
Details
From our understanding, this route is used internally to provide access to interactive matplotlib visualizations.
marimo/marimo/_server/main.py at main · marimo-team/marimo
This endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified <port> and <route>.
The existence of this proxy is visible in the application's code (marimo/_server/main.py), but there's no official documentation or warning about its behavior or potential risks.
Impact
CWE-441: Proxying Without Authentication
This vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.
Full Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.
Exposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:
Old CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.
phpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.
RPCMapper: Can be used for network reconnaissance and enumerating services.
While you’d hope people wouldn’t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn't limited to a few isolated cases but is a widespread issue affecting production environments.
===
Notes, this was discovered by devgi. I (acepace) followed up and also created this report.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐍PyPI | marimo | ≥ 0.9.20&&< 0.16.4 | 0.16.4 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for marimo. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update marimo to 0.16.4 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xjv7-6w92-42r7 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xjv7-6w92-42r7 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xjv7-6w92-42r7. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xjv7-6w92-42r7 in your dependencies?
O3 detects GHSA-xjv7-6w92-42r7 across PyPI dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.