Common Weakness Enumeration

CWE-441

Allowed-with-Review

Unintended Proxy or Intermediary ('Confused Deputy')

Abstraction: Class · Status: Draft

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

155 vulnerabilities reference this CWE, most recent first.

GHSA-VJHC-CF4P-72Q4

Vulnerability from github – Published: 2026-06-30 18:15 – Updated: 2026-06-30 18:15
VLAI
Summary
Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration
Details

Summary

Fission's buildermgr controller processed Package CRDs without verifying that Package.spec.environment.namespace matched Package.metadata.namespace.

Details

An attacker with packages.fission.io/create in their own namespace could set spec.environment.namespace to any other tenant's namespace. The controller then used its high-privilege service account to fetch the Environment cross-namespace and dispatch the build command into the victim namespace's builder pod.

The build command's stdout is written verbatim into Package.status.buildlog. By running malicious code through an npm preinstall lifecycle hook (or any equivalent build step), the attacker could read the victim namespace's fission-builder Bearer token from inside that builder pod and surface it through the build log — then use the leaked token to read every Secret and ConfigMap in the victim namespace.

Impact

Cross-tenant compromise: a package author in one namespace could execute code inside another tenant's builder pod and exfiltrate that namespace's fission-builder service-account token, giving namespace-wide secret and configmap read in the victim namespace.

Fix

Fixed in #3379 and released in v1.24.0. Two checks in series:

  • Admission webhook (pkg/webhook/package.go::Validate) rejects Package.spec.environment.namespace != Package.metadata.namespace. An empty namespace is still accepted; the controllers default it to the package's own namespace.
  • Controller belt-and-braces: the same check is repeated in pkg/buildermgr/pkgwatcher.go::build and pkg/buildermgr/common.go::buildPackage before the cross-namespace Environments(...).Get call, so a stale Package CR or a webhook-bypass cluster (failurePolicy=Ignore) cannot exploit the primitive either.

Behavioural change

Packages that explicitly set spec.environment.namespace to a different namespace are now rejected at admission. Empty-string remains accepted (resolves to the package's own namespace, the same as the prior implicit behaviour).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.23.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/fission/fission"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.24.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49821"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-441",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-30T18:15:27Z",
    "nvd_published_at": "2026-06-10T18:17:10Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nFission\u0027s `buildermgr` controller processed `Package` CRDs without verifying that `Package.spec.environment.namespace` matched `Package.metadata.namespace`.\n\n### Details\n\nAn attacker with `packages.fission.io/create` in their own namespace could set `spec.environment.namespace` to any other tenant\u0027s namespace. The controller then used its high-privilege service account to fetch the Environment\ncross-namespace and dispatch the build command into the **victim namespace\u0027s** builder pod.\n\nThe build command\u0027s stdout is written verbatim into `Package.status.buildlog`. By running malicious code through an npm `preinstall` lifecycle hook (or any equivalent build step), the attacker could read the victim namespace\u0027s\n`fission-builder` Bearer token from inside that builder pod and surface it through the build log \u2014 then use the leaked token to read every Secret and ConfigMap in the victim namespace.\n\n### Impact\n\nCross-tenant compromise: a package author in one namespace could execute code inside another tenant\u0027s builder pod and exfiltrate that namespace\u0027s `fission-builder` service-account token, giving namespace-wide secret and configmap read in\n the victim namespace.\n\n### Fix\n\nFixed in [#3379](https://github.com/fission/fission/pull/3379) and released in [v1.24.0](https://github.com/fission/fission/releases/tag/v1.24.0). Two checks in series:\n\n- **Admission webhook** (`pkg/webhook/package.go::Validate`) rejects `Package.spec.environment.namespace != Package.metadata.namespace`. An empty namespace is still accepted; the controllers default it to the package\u0027s own namespace.\n- **Controller belt-and-braces:** the same check is repeated in `pkg/buildermgr/pkgwatcher.go::build` and `pkg/buildermgr/common.go::buildPackage` before the cross-namespace `Environments(...).Get` call, so a stale Package CR or a\nwebhook-bypass cluster (`failurePolicy=Ignore`) cannot exploit the primitive either.\n\n### Behavioural change\n\nPackages that explicitly set `spec.environment.namespace` to a different namespace are now rejected at admission. Empty-string remains accepted (resolves to the package\u0027s own namespace, the same as the prior implicit behaviour).",
  "id": "GHSA-vjhc-cf4p-72q4",
  "modified": "2026-06-30T18:15:27Z",
  "published": "2026-06-30T18:15:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/security/advisories/GHSA-vjhc-cf4p-72q4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49821"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/pull/3379"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/commit/e2b92663499f4dc3a1e2d38178f39c3c65e0134a"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/fission/fission"
    },
    {
      "type": "WEB",
      "url": "https://github.com/fission/fission/releases/tag/v1.24.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Fission: Cross-namespace Environment reference in Package allows build-time command execution and SA token exfiltration"
}

GHSA-VW47-MR44-3JF9

Vulnerability from github – Published: 2021-09-21 18:28 – Updated: 2026-06-09 10:51
VLAI
Summary
Confused Deputy in Kubernetes
Details

A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "k8s.io/kubernetes"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.22.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-25740"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-441",
      "CWE-610"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-21T14:54:49Z",
    "nvd_published_at": "2021-09-20T17:15:00Z",
    "severity": "LOW"
  },
  "details": "A security issue was discovered with Kubernetes that could enable users to send network traffic to locations they would otherwise not have access to via a confused deputy attack.",
  "id": "GHSA-vw47-mr44-3jf9",
  "modified": "2026-06-09T10:51:38Z",
  "published": "2021-09-21T18:28:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-25740"
    },
    {
      "type": "WEB",
      "url": "https://github.com/kubernetes/kubernetes/issues/103675"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kubernetes/kubernetes"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/kubernetes-security-announce/c/WYE9ptrhSLE"
    },
    {
      "type": "WEB",
      "url": "https://kubernetes.io/blog/2026/05/26/reconciling-unfixed-kubernetes-cves"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20211014-0001"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Confused Deputy in Kubernetes"
}

GHSA-W34F-VM33-HPXX

Vulnerability from github – Published: 2026-03-02 21:31 – Updated: 2026-03-03 00:31
VLAI
Details

In multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0008"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-441"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-02T19:16:29Z",
    "severity": "HIGH"
  },
  "details": "In  multiple locations, there is a possible privilege escalation due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-w34f-vm33-hpxx",
  "modified": "2026-03-03T00:31:10Z",
  "published": "2026-03-02T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0008"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2026-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-WG33-5H85-7Q5P

Vulnerability from github – Published: 2025-02-06 17:07 – Updated: 2025-02-06 19:54
VLAI
Summary
Mitmweb API Authentication Bypass Using Proxy Server
Details

Impact

In mitmweb 11.1.0 and below, a malicious client can use mitmweb's proxy server (bound to *:8080 by default) to access mitmweb's internal API (bound to 127.0.0.1:8081 by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this SSRF-style access to remote code execution.

The mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The block_global option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.

Patches

The vulnerability has been fixed in mitmproxy 11.1.2 and above.

Acknowledgements

We thank Stefan Grönke (@gronke) for reporting this vulnerability as part of a security audit by Radically Open Security. This audit was supported by the NGI0 Entrust fund established by NLnet.

Timeline

  • 2025-01-14: Received initial report.
  • 2025-01-14: Verified report and confirmed receipt.
  • 2025-01-19: Shared patch with researcher.
  • 2025-02-04: Received final confirmation that patch is working.
  • 2025-02-05: Published patched release and advisory.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "mitmproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-23217"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-288",
      "CWE-441"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-06T17:07:41Z",
    "nvd_published_at": "2025-02-06T18:15:32Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nIn mitmweb 11.1.0 and below, a malicious client can use mitmweb\u0027s proxy server (bound to `*:8080` by default) to access mitmweb\u0027s internal API (bound to `127.0.0.1:8081` by default). In other words, while the client cannot access the API directly (good), they can access the API through the proxy (bad). An attacker may be able to escalate this [SSRF](https://en.wikipedia.org/wiki/Server-side_request_forgery)-style access to remote code execution.\n\nThe mitmproxy and mitmdump tools are unaffected. Only mitmweb is affected. The `block_global` option, which is enabled by default, blocks connections originating from publicly-routable IP addresses in the proxy. The attacker needs to be in the same local network.\n\n### Patches\n\nThe vulnerability has been fixed in mitmproxy 11.1.2 and above.\n\n### Acknowledgements\n\nWe thank Stefan Gr\u00f6nke (@gronke) for reporting this vulnerability as part of a security audit by [Radically Open Security](https://www.radicallyopensecurity.com/). This audit was supported by the [NGI0 Entrust fund](https://nlnet.nl/entrust/) established by [NLnet](https://nlnet.nl/).\n\n### Timeline\n\n- **2025-01-14**: Received initial report. \n- **2025-01-14**: Verified report and confirmed receipt.\n- **2025-01-19**: Shared patch with researcher.\n- **2025-02-04**: Received final confirmation that patch is working.\n- **2025-02-05**: Published patched release and advisory.",
  "id": "GHSA-wg33-5h85-7q5p",
  "modified": "2025-02-06T19:54:56Z",
  "published": "2025-02-06T17:07:41Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-wg33-5h85-7q5p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-23217"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/commit/fa89055e196d953f11fd241e36ee37858993486a"
    },
    {
      "type": "WEB",
      "url": "https://en.wikipedia.org/wiki/Server-side_request_forgery"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mitmproxy/mitmproxy"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/blob/main/CHANGELOG.md#06-february-2025-mitmproxy-1112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Mitmweb API Authentication Bypass Using Proxy Server"
}

GHSA-XJV7-6W92-42R7

Vulnerability from github – Published: 2025-10-01 21:20 – Updated: 2025-11-20 17:20
VLAI
Summary
marimo vulnerable to proxy abuse of /mpl/{port}/
Details

Summary

The /mpl/<port>/<route> endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports.

Details

From our understanding, this route is used internally to provide access to interactive matplotlib visualizations. marimo/marimo/_server/main.py at main · marimo-team/marimo This endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified <port> and <route>.

The existence of this proxy is visible in the application's code (marimo/_server/main.py), but there's no official documentation or warning about its behavior or potential risks.

Impact

CWE-441: Proxying Without Authentication

This vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.

Full Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.

Exposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:

Old CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.

phpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.

RPCMapper: Can be used for network reconnaissance and enumerating services.

While you’d hope people wouldn’t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn't limited to a few isolated cases but is a widespread issue affecting production environments.

===

Notes, this was discovered by devgi. I (acepace) followed up and also created this report.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "marimo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.9.20"
            },
            {
              "fixed": "0.16.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-441"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-01T21:20:11Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe  `/mpl/\u003cport\u003e/\u003croute\u003e` endpoint, which is accessible without authentication on default Marimo installations allows for external attackers to reach internal services and arbitrary ports. \n\n### Details\nFrom our understanding, this route is used internally to provide access to interactive matplotlib visualizations.\n[marimo/marimo/_server/main.py at main \u00b7 marimo-team/marimo](https://github.com/marimo-team/marimo/blob/main/marimo/_server/main.py) \nThis endpoint functions as an unauthenticated proxy, allowing an attacker to connect to any service running on the local machine via the specified `\u003cport\u003e` and `\u003croute\u003e`.\n\nThe existence of this proxy is visible in the application\u0027s code (marimo/_server/main.py), but there\u0027s no official documentation or warning about its behavior or potential risks.\n\n\n### Impact\nCWE-441: Proxying Without Authentication\n\nThis vulnerability, as it can be used to bypass firewalls and access internal services that are intended to be local-only. The level of impact depends entirely on what services are running and accessible on the local machine.\n\nFull Local Access: An attacker can use this proxy to connect to local services that answer to web sockets, HTTP or ASGI protocol, effectively gaining a foothold on the machine. Depending on the service, this can lead to remote code execution, data exfiltration, or further network penetration.\n\nExposure of Sensitive Services: Our scans of public-facing Marimo servers have shown that many are exposing sensitive internal services, including:\n\nOld CUPS Servers: Could allow an attacker to view print jobs or configuration or depending on old vulnerabilities, allow RCE.\n\nphpMyAdmin: Provides a web interface to a MySQL database, potentially exposing sensitive data.\n\nRPCMapper: Can be used for network reconnaissance and enumerating services.\n\nWhile you\u2019d hope people wouldn\u2019t expose marimo instances to the internet, we found numerous public Marimo instances using tools like Shodan. Many of these servers, some even hosted on cloud platforms like AWS GovCloud, were found to be vulnerable. This means the vulnerability isn\u0027t limited to a few isolated cases but is a widespread issue affecting production environments.\n\n===\n\nNotes, this was discovered by [devgi](https://github.com/devgi). I ([acepace](https://github.com/acepace)) followed up and also created this report.",
  "id": "GHSA-xjv7-6w92-42r7",
  "modified": "2025-11-20T17:20:23Z",
  "published": "2025-10-01T21:20:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/security/advisories/GHSA-xjv7-6w92-42r7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/commit/0312706d5e594acdb405209b2c8d87c98f46b22b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/marimo-team/marimo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/marimo-team/marimo/releases/tag/0.16.4"
    },
    {
      "type": "WEB",
      "url": "https://marimo-team.notion.site/cve-proxy-without-authentication"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "marimo vulnerable to proxy abuse of /mpl/{port}/"
}

Mitigation
Architecture and Design

Enforce the use of strong mutual authentication mechanism between the two parties.

Mitigation
Architecture and Design

Whenever a product is an intermediary or proxy for transactions between two other components, the proxy core should not drop the identity of the initiator of the transaction. The immutability of the identity of the initiator must be maintained and should be forwarded all the way to the target.

CAPEC-219: XML Routing Detour Attacks

An attacker subverts an intermediate system used to process XML content and forces the intermediate to modify and/or re-route the processing of the content. XML Routing Detour Attacks are Adversary in the Middle type attacks (CAPEC-94). The attacker compromises or inserts an intermediate system in the processing of the XML message. For example, WS-Routing can be used to specify a series of nodes or intermediaries through which content is passed. If any of the intermediate nodes in this route are compromised by an attacker they could be used for a routing detour attack. From the compromised system the attacker is able to route the XML process to other nodes of their choice and modify the responses so that the normal chain of processing is unaware of the interception. This system can forward the message to an outside entity and hide the forwarding and processing from the legitimate processing systems by altering the header information.

CAPEC-465: Transparent Proxy Abuse

A transparent proxy serves as an intermediate between the client and the internet at large. It intercepts all requests originating from the client and forwards them to the correct location. The proxy also intercepts all responses to the client and forwards these to the client. All of this is done in a manner transparent to the client.