chore(deps): update dependency marimo [security]#155
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
1c65b54 to
7beba5b
Compare
7beba5b to
b6a8cd0
Compare
b6a8cd0 to
92a9dc4
Compare
92a9dc4 to
89157b8
Compare
89157b8 to
1b75e66
Compare
1b75e66 to
a6e4045
Compare
a6e4045 to
dc3b16f
Compare
dc3b16f to
2ee2688
Compare
1f90162 to
b1db5a5
Compare
b1db5a5 to
bd3e8da
Compare
bd3e8da to
35c4452
Compare
35c4452 to
36aaa06
Compare
a5b60ca to
3f2d51b
Compare
3f2d51b to
9993c4f
Compare
9993c4f to
7103775
Compare
7103775 to
d5bc079
Compare
d5bc079 to
d196089
Compare
d196089 to
f435040
Compare
f435040 to
ae70632
Compare
ae70632 to
94e055c
Compare
94e055c to
697147b
Compare
697147b to
ef21641
Compare
ef21641 to
293f640
Compare
293f640 to
7735140
Compare
7735140 to
de05428
Compare
de05428 to
ea83d04
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
>0.14,<0.15→>0.23,<0.24==0.14.17→==0.23.9marimo vulnerable to proxy abuse of /mpl/{port}/
GHSA-xjv7-6w92-42r7
More information
Details
Summary
The
/mpl/<port>/<route>endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.Details
From our understanding, this route is used internally to provide access to interactive matplotlib visualizations.
marimo/marimo/_server/main.py at main · marimo-team/marimo
This endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified
<port>and<route>.The existence of this proxy is visible in the application's code (marimo/_server/main.py), but there's no official documentation or warning about its behavior or potential risks.
Impact
CWE-441: Proxying Without Authentication
This vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.
Full Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.
Exposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:
Old CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.
phpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.
RPCMapper: Can be used for network reconnaissance and enumerating services.
While you’d hope people wouldn’t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn't limited to a few isolated cases but is a widespread issue affecting production environments.
===
Notes, this was discovered by devgi. I (acepace) followed up and also created this report.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
CVE-2026-39987 / GHSA-2679-6mx9-h9xc
More information
Details
Summary
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint
/terminal/wslacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.Unlike other WebSocket endpoints (e.g.,
/ws) that correctly callvalidate_auth()for authentication, the/terminal/wsendpoint only checks the running mode and platform support before accepting connections, completely skipping authentication verification.Affected Versions
Marimo <= 0.20.4
Vulnerability Details
Root Cause: Terminal WebSocket Missing Authentication
marimo/_server/api/endpoints/terminal.pylines 340-356:Compare with the correctly implemented
/wsendpoint (ws_endpoint.pylines 67-82):Authentication Middleware Limitation
Marimo uses Starlette's
AuthenticationMiddleware, which marks failed auth connections asUnauthenticatedUserbut does NOT actively reject WebSocket connections. Actual auth enforcement relies on endpoint-level@requires()decorators orvalidate_auth()calls.The
/terminal/wsendpoint has neither a@requires("edit")decorator nor avalidate_auth()call, so unauthenticated WebSocket connections are accepted even when the auth middleware is active.Attack Chain
ws://TARGET:2718/terminal/ws(no auth needed)websocket.accept()accepts the connection directlypty.fork()creates a PTY child processA single WebSocket connection yields a complete interactive shell.
Proof of Concept
Reproduction Environment
Reproduction Result
With auth enabled (server generates random
access_token), the exploit bypasses authentication entirely:Suggested Remediation
/terminal/wsendpoint, consistent with/wsusingWebSocketConnectionValidator.validate_auth()Impact
An unauthenticated attacker can obtain a full interactive root shell on the server via a single WebSocket connection. No user interaction or authentication token is required, even when authentication is enabled on the marimo instance.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
marimo contains a reflected cross-site scripting vulnerability in the notebook page
CVE-2026-54386 / GHSA-8m59-7xv8-735h
More information
Details
marimo before 0.23.9 contains a reflected cross-site scripting vulnerability in the notebook page that allows unauthenticated attackers to inject arbitrary JavaScript by exploiting improper escaping of single quotes in the file query parameter reflected into an inline JavaScript string literal. Attackers can craft a malicious link with a payload beginning with new to bypass the 404 check and inject JavaScript into the page, which executes without Content-Security-Policy restrictions in the origin of a victim's marimo server.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
marimo-team/marimo (marimo)
v0.23.14Compare Source
What's Changed
This release brings anywidget composition with hot reload, an experimental debugger with per-line timing, chat AI improvements, and cached WASM exports.
Plus many fixes across charts, tables, and exports.
⭐️ Highlights
Anywidget composition and hot reload
marimo now supports anywidget's new composition API: parent widgets can render child widgets they were handed as values. Widget frontend code also hot-reloads in place as you edit it — live views re-render with widget state intact (#10127).
Read the docs for more on building custom UI plugins.
Debugger and per-line timing
An experimental debugger execution lifecycle adds frame watching to cell execution, highlighting the currently executing line and enabling debug points (#9970).
Screen.Recording.2026-06-23.at.9.53.50.AM.mov
Building on the same machinery, the experimental
line_timingflag shows an elapsed-time pill on any line that has been busy for more than ~500ms (#10126).Chat AI improvements
The AI chat panel picked up several upgrades this release:
@error://allor a single cell's error to attach its source, traceback, and SQL schema as context chips (#10038)Screen.Recording.2026-06-30.at.5.24.02.PM.mov
Read the docs for more on AI features.
Cached WASM exports
marimo export html-wasm --executenow bundles runtime cache into the export, so published notebooks hydrate cell outputs from cache instead of recomputing them in the browser (#9897). This lets you share interactive snapshots of executions that normally can't run in the browser at all (like a jax or torch training run) while the rest of the notebook stays live. Built on a new cell-level cached execution lifecycle, opt-in via[tool.marimo.runtime] cache_cells = true(#9895).Screen.Recording.2026-07-08.at.4.39.03.PM.mov
Read the docs for more on exporting notebooks.
✨ Enhancements
mdxflavor in md export (#10116)__generated_withwhen that's the only change in a notebook (#10027)🐛 Bug fixes
📚 Documentation
mo.ui.panelin its docstring (#10067)🔬 Preview features
Contributors
Thanks to all our community and contributors who made this release possible: @akshayka, @brookpatten, @David-Wu1119, @dmadisetti, @eeshsaxena, @Felipenguim, @Hemanth-1354, @kirangadhave, @Light2Dark, @manzt, @mscolnick, @ohmdelta, @Oishe, @peter-gy, @qorexdevs, @VishakBaddur, @wally-an, @yairchu
And especially to our new contributors:
Full Changelog: marimo-team/marimo@0.23.13...0.23.14
v0.23.13Compare Source
v0.23.12Compare Source
What's Changed
✨ Enhancements
🐛 Bug fixes
📝 Other changes
ea3c57c)bf0468d)f7b1571)marimo export md(#9586) (8565003)Contributors
Thanks to all our community and contributors who made this release possible: @akshayka, @allin2, @app/github-actions, @dmadisetti, @kirangadhave, @koaning, @ktaletsk, @Light2Dark, @lxingy3, @mscolnick, @peter-gy, @Vitaliy-Pikalo
New Contributors
Full Changelog: marimo-team/marimo@0.23.11...0.23.12
v0.23.11Compare Source
What's Changed
This release gives
mo.ui.tablefiner display control (fixed column widths, a toggleable search bar, and a reusable display config).Additionally
mo.output.clear_console()adds a way to clear console output mid-run, and ships a broad set of fixes across AI config, exports, and the data sources tree.Various other bug fixes like
matplotlib==3.11support inmo.mpl.interactiveandpydantic-slimintegration also ship in this release.⭐️ Highlights
More control over
mo.ui.tabledisplayYou can now size and trim tables to fit your data.
column_widthspins named columns to an exact pixel width (great for long file paths or notes that used to get clipped), while unlisted columns continue to size to their content. The search bar is now toggleable viashow_search, and the four visibility flags are available as a reusablemo.ui.table.Displayconfig you can build once and unpack into many tables (#9982, #9984).Clear console output mid-run
mo.output.clear_console()clears a cell's console output while it's still running, and the clear now sticks across reconnects, exports, and the on-disk session cache, not just in the live view. This replaces the old "re-run the cell to clear it" workaround.✨ Enhancements
show_searchand a reusablemo.ui.table.Displayconfig (#9984)column_widthstomo.ui.table(#9982)pyproject.toml(#9961)mo.output.clear_console()(#9950)🐛 Bug fixes
ai.enabledis false (#9937)str.splitlines()(#9957)📚 Documentation
/bin/bash->/usr/bin/env bash(#9942)📝 Other changes
068f140)DESIGN.md(#9641,7f29fa3)06b152a)Contributors
Thanks to all our community and contributors who made this release possible: @akshayka, @dmadisetti, @kirangadhave, @Light2Dark, @lzblack, @peter-gy, @skaphi, @VishakBaddur
And especially to our new contributors:
Full Changelog: marimo-team/marimo@0.23.10...0.23.11
v0.23.10Compare Source
What's Changed
This release brings threading and multiprocessing to WASM notebooks and makes remote storage browsing scale with search and pagination — alongside table column controls, slide editing improvements, and a broad set of fixes.
⭐️ Highlights
Pyodide 314.0
This release moves marimo's WebAssembly runtime to Pyodide's latest release: Pyodide 314.0. This allows use to use newer versions of
duckdb,polars, andpyarrowas well as many other popular packages.Threading and multiprocessing in WASM
WASM notebooks can now run
threading- andmultiprocessing-shaped code. marimo installs lightweight adapters for Pyodide somo.Thread, stdlibthreadingprimitives, and commonmultiprocessingAPIs keep working in the browser, executing on a synthetic thread identity that the marimo runtime context follows (#9839).Screen.Recording.2026-06-09.at.16.56.56.mov
Scalable remote storage browsing
Browsing large remote storage backends is now practical. Listings paginate behind a "Load more" button instead of loading everything up front, and when a prefix query matches none of the already-loaded entries, marimo pages through the backend to surface remote results — matching on full paths so partial path queries resolve, with clear status while it searches (#9834, #9835).
Screen.Recording.2026-06-10.at.11.56.00.AM.mov
✨ Enhancements
OTEL_SERVICE_NAMEfor traces (#9906)/api/usageendpoint (#9773)mo.ui.tablehover_template (#9780)🐛 Bug fixes
as_completedtimeout deterministic (#9891)!-command cells from disabling underscore-privatization on convert (#9873)📚 Documentation
jupyter-book-marimoplugin (#9802)📝 Other changes
mo.ui.chat(#9847, #9888,29352cf)b3c9225)Contributors
Thanks to all our community and contributors who made this release possible: @agriyakhetarpal, @akshayka, @dmadisetti, @kirangadhave, @koaning, @Light2Dark, @mscolnick, @nkgotcode, @peter-gy, @Set27, @VishakBaddur
And especially to our new contributors:
Full Changelog: marimo-team/marimo@0.23.9...0.23.10
v0.23.9Compare Source
What's Changed
This release makes opening a notebook in a second tab non-destructive,
mo.ui.tableadds new args forhidden_columns/visible_columns(mutually exclusive), and tightens sharing and error-output behavior across the board.⭐️ Highlights
Open the same notebook in a second tab
Opening a notebook in a second browser tab no longer forcibly disconnects the first. The new tab joins as a live, read-only viewer, and you can take over editing from either side with a single click — no destructive modal and no reload required (#9746).
Screen.Recording.2026-06-01.at.3.31.17.PM.mov
Show and hide table columns
mo.ui.tablenow supports column visibility. Hide and show columns from the column header menu, Column Explorer with a click, find columns fast with smart prefix-based search, and control initial visibility from Python. A hidden-count and "Unhide all" link keep things discoverable (#9687, #9696).Screen.Recording.2026-05-26.at.6.35.04.PM.mov
Cells with no output now show in slides
Because slides allow code edits, a slide edited to no longer produce an output used to disappear from the deck entirely. Such cells now appear in the slides minimap and viewer so you can edit them back in (they're still skipped during a presentation). Minimap thumbnails are also larger and more readable (#9771).
Screen.Recording.2026-06-03.at.2.25.46.PM.mov
✨ Enhancements
🐛 Bug fixes
📚 Documentation
📝 Other changes
Contributors
Thanks to all our community and contributors who made this release possible: @akshayka, @corleyma, @dmadisetti, @everettroeth, @foxcroftjn, @GHX5T-SOL, @kirangadhave, @kjgoodrick, @kratos0718, @Light2Dark, @mscolnick, @nojaf, @Rowlando13, @VishakBaddur, @XanthanGum
And especially to our new contributors:
Full Changelog: marimo-team/marimo@0.23.8...0.23.9
v0.23.8Compare Source
v0.23.7Compare Source
What's Changed
This release brings major upgrades to table filtering, adds speaker notes to slide view, and lets WASM notebooks query remote files with DuckDB.
⭐ Highlights
Powerful new table column filters
Table columns now support the full operator set across every dtype. Text columns get
contains,starts_with,ends_with,equals,regex,is_empty, and more, with a slash-bracketedregexinput and a creatable values picker forin/not_in. Number columns get nativebetween, and the new date/datetime/time filter UI brings the same operator coverage to date-like columns with smart clipboard paste for ISO/US/RFC dates andA - Branges (#9597, #9615).Screen.Recording.2026-05-18.at.7.54.06.PM.mov
Speaker notes for slides
Press
Sin slide view to open speaker notes alongside the current slide, including in fullscreen and kiosk mode (#9533).Screen.Recording.2026-05-12.at.5.32.23.PM.mov
Query remote files with DuckDB in WASM notebooks
WASM notebooks can now read CSV, Parquet, JSON, and GeoJSON over HTTP from
mo.sql, SQL cells, rawduckdb.sql/query/execute, connection SQL methods, and theduckdb.read_csv/read_parquet/read_jsonPython API. marimo rewrites the AST withsqlglot, fetches the remote file via its shared WASM fetch util, and binds the result as a pandas DataFrame that DuckDB can scan (#9480).✨ Enhancements
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR was generated by Mend Renovate. View the repository job log.