<aside>

If you have a deployment of marimo exposed to the public, please upgrade to

marimo>=0.16.4

</aside>

Summary

The /mpl/<port>/<route> endpoint is accessible without authentication on default marimo installations. This allows for unauthenticated users to reach internal services and arbitrary ports.

CWE-441: Proxying Without Authentication

This vulnerability allows unauthenticated usage to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.

What versions are affected

0.9.20 <= marimo <= 0.16.3

Who is affected

• If you have deployed marimo to the public internet and using marimo’s built-in authentication.

Likely not effected

• If you have your own authentication proxy on top of marimo
• If you are not running any other services on the same machine
• If you are not exposing marimo to the public internet

Support