Unintended Proxy or Intermediary ('Confused Deputy') Affecting marimo package, versions [0.9.20,0.16.4)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-MARIMO-13285223
- published6 Oct 2025
- disclosed1 Oct 2025
- creditAce Pace
Introduced: 1 Oct 2025
New CVE NOT AVAILABLE CWE-441 (opens in a new tab)Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade marimo to version 0.16.4 or higher.
Overview
marimo is an A library for making reactive notebooks and apps
Affected versions of this package are vulnerable to Unintended Proxy or Intermediary ('Confused Deputy') via the /mpl/{port}/ endpoint, which acts as an unauthenticated proxy. An attacker can access internal services and arbitrary ports by sending crafted requests to this endpoint, potentially bypassing firewalls and reaching services intended to be local-only. This can result in exposure of sensitive data, unauthorized access to internal resources, or further compromise of the host system.