CWE-441
Allowed-with-ReviewUnintended Proxy or Intermediary ('Confused Deputy')
Abstraction: Class · Status: Draft
The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
153 vulnerabilities reference this CWE, most recent first.
GHSA-W34F-VM33-HPXX
Vulnerability from github – Published: 2026-03-02 21:31 – Updated: 2026-03-03 00:31In multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2026-0008"
],
"database_specific": {
"cwe_ids": [
"CWE-441"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-02T19:16:29Z",
"severity": "HIGH"
},
"details": "In multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-w34f-vm33-hpxx",
"modified": "2026-03-03T00:31:10Z",
"published": "2026-03-02T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0008"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2026-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-WG33-5H85-7Q5P
Vulnerability from github – Published: 2025-02-06 17:07 – Updated: 2025-02-06 19:54Impact
In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to *:8080 by default) to access mitmweb's internal API (bound to 127.0.0.1:8081 by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this SSRF-style access to remote code execution.
The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The block_global option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.
Patches
The vulnerability has been fixed in mitmproxy 11.1.2 and above.
Acknowledgements
We thank Stefan Grönke (@gronke) for reporting this vulnerability as part of a security audit by Radically Open Security. This audit was supported by the NGI0 Entrust fund established by NLnet.
Timeline
- 2025-01-14: Received initial report.
- 2025-01-14: Verified report and confirmed receipt.
- 2025-01-19: Shared patch with researcher.
- 2025-02-04: Received final confirmation that patch is working.
- 2025-02-05: Published patched release and advisory.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mitmproxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "11.1.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-23217"
],
"database_specific": {
"cwe_ids": [
"CWE-288",
"CWE-441"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-06T17:07:41Z",
"nvd_published_at": "2025-02-06T18:15:32Z",
"severity": "HIGH"
},
"details": "### Impact\nIn mitmweb 11.1.0 and below, a malicious client can use mitmweb\u0027s proxy server (bound to `*:8080` by default) to access mitmweb\u0027s internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution.\n\nThe mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.\n\n### Patches\n\nThe vulnerability has been fixed in mitmproxy 11.1.2 and above.\n\n### Acknowledgements\n\nWe thank Stefan Gr\u00f6nke (@gronke) for reporting this vulnerability as part of a security audit by [Radically Open Security](https://www.radicallyopensecurity.com/). This audit was supported by the [NGI0 Entrust fund](https://nlnet.nl/entrust/) established by [NLnet](https://nlnet.nl/).\n\n### Timeline\n\n- **2025-01-14**: Received initial report. \n- **2025-01-14**: Verified report and confirmed receipt.\n- **2025-01-19**: Shared patch with researcher.\n- **2025-02-04**: Received final confirmation that patch is working.\n- **2025-02-05**: Published patched release and advisory.",
"id": "GHSA-wg33-5h85-7q5p",
"modified": "2025-02-06T19:54:56Z",
"published": "2025-02-06T17:07:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23217"
},
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/commit/fa89055e196d953f11fd241e36ee37858993486a"
},
{
"type": "WEB",
"url": "https://en.wikipedia.org/wiki/Server-side_request_forgery"
},
{
"type": "PACKAGE",
"url": "https://github.com/mitmproxy/mitmproxy"
},
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md#06-february-2025-mitmproxy-1112"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Mitmweb API Authentication Bypass Using Proxy Server"
}
GHSA-XJV7-6W92-42R7
Vulnerability from github – Published: 2025-10-01 21:20 – Updated: 2025-11-20 17:20Summary
The /mpl/<port>/<route> endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.
Details
From our understanding, this route is used internally to provide access to interactive matplotlib visualizations.
marimo/marimo/_server/main.py at main · marimo-team/marimo
This endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified <port> and <route>.
The existence of this proxy is visible in the application's code (marimo/_server/main.py), but there's no official documentation or warning about its behavior or potential risks.
Impact
CWE-441: Proxying Without Authentication
This vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.
Full Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.
Exposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:
Old CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.
phpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.
RPCMapper: Can be used for network reconnaissance and enumerating services.
While you’d hope people wouldn’t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn't limited to a few isolated cases but is a widespread issue affecting production environments.
===
Notes, this was discovered by devgi. I (acepace) followed up and also created this report.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "marimo"
},
"ranges": [
{
"events": [
{
"introduced": "0.9.20"
},
{
"fixed": "0.16.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-441"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-01T21:20:11Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe `/mpl/\u003cport\u003e/\u003croute\u003e` endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports. \n\n### Details\nFrom our understanding, this route is used internally to provide access to interactive matplotlib visualizations.\n[marimo/marimo/_server/main.py at main \u00b7 marimo-team/marimo](https://github.com/marimo-team/marimo/blob/main/marimo/_server/main.py) \nThis endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified `\u003cport\u003e` and `\u003croute\u003e`.\n\nThe existence of this proxy is visible in the application\u0027s code (marimo/_server/main.py), but there\u0027s no official documentation or warning about its behavior or potential risks.\n\n\n### Impact\nCWE-441: Proxying Without Authentication\n\nThis vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.\n\nFull Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.\n\nExposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:\n\nOld CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.\n\nphpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.\n\nRPCMapper: Can be used for network reconnaissance and enumerating services.\n\nWhile you\u2019d hope people wouldn\u2019t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn\u0027t limited to a few isolated cases but is a widespread issue affecting production environments.\n\n===\n\nNotes, this was discovered by [devgi](https://github.com/devgi). I ([acepace](https://github.com/acepace)) followed up and also created this report.",
"id": "GHSA-xjv7-6w92-42r7",
"modified": "2025-11-20T17:20:23Z",
"published": "2025-10-01T21:20:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/marimo-team/marimo/security/advisories/GHSA-xjv7-6w92-42r7"
},
{
"type": "WEB",
"url": "https://github.com/marimo-team/marimo/commit/0312706d5e594acdb405209b2c8d87c98f46b22b"
},
{
"type": "PACKAGE",
"url": "https://github.com/marimo-team/marimo"
},
{
"type": "WEB",
"url": "https://github.com/marimo-team/marimo/releases/tag/0.16.4"
},
{
"type": "WEB",
"url": "https://marimo-team.notion.site/cve-proxy-without-authentication"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "marimo vulnerable to proxy abuse of /mpl/{port}/"
}
Mitigation
Enforce the use of strong mutual authentication mechanism between the two parties.
Mitigation
Whenever a product is an intermediary or proxy for transactions between two other components, the proxy core should not drop the identity of the initiator of the transaction. The immutability of the identity of the initiator must be maintained and should be forwarded all the way to the target.
CAPEC-219: XML Routing Detour Attacks
An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.
CAPEC-465: Transparent Proxy Abuse
A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.