GHSA-xjv7-6w92-42r7: marimo vulnerable to proxy abuse of /mpl/{port}/
(updated )
The /mpl/<port>/<route> endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.
References
- github.com/advisories/GHSA-xjv7-6w92-42r7
- github.com/marimo-team/marimo
- github.com/marimo-team/marimo/commit/0312706d5e594acdb405209b2c8d87c98f46b22b
- github.com/marimo-team/marimo/releases/tag/0.16.4
- github.com/marimo-team/marimo/security/advisories/GHSA-xjv7-6w92-42r7
- marimo-team.notion.site/cve-proxy-without-authentication
Code Behaviors & Features
Detect and mitigate GHSA-xjv7-6w92-42r7 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →