CVE-2022-35918 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

Streamlit apps using custom components allow unauthenticated attackers to read arbitrary server files — including API keys, credentials, and model configs — via crafted URLs. Upgrade to 1.11.1 immediately; no workarounds exist. Treat this as high-priority if your ML teams run Streamlit on servers co-located with LLM API keys, cloud credentials, or training data.

Risk Assessment

CVSS 6.5 Medium understates real-world risk in ML environments. Streamlit servers typically run with broad filesystem access alongside .env files containing LLM API keys (OpenAI, Anthropic), cloud credentials, and database connection strings. Exploitation requires only network access and a crafted URL — no authentication, no specialized knowledge. The 'user interaction required' flag reflects one attack path but direct server-side exploitation is equally viable.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
streamlit	pip	—	No patch
44.4K OpenSSF 7.2 2.8K dependents Pushed 7d ago 8% patched ~0d to patch Full package profile →

Do you use streamlit? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

1.4%

chance of exploitation in 30 days

Higher than 81% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Upgrade to Streamlit >= 1.11.1 — patching is the only fix.
Audit running versions: pip show streamlit | grep Version across all environments.
Search logs for path traversal patterns: ../, %2e%2e%2f, and double-encoded variants in URL parameters.
Rotate any secrets (LLM API keys, DB credentials, cloud tokens) accessible on affected servers.
Restrict Streamlit process filesystem permissions to only required directories.
Place internal Streamlit instances behind an authenticated reverse proxy.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Data Leakage Framework AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

ISO 42001

A.6.1.2 - AI system risk assessment A.8.5 - Security of AI systems

NIST AI RMF

GOVERN 1.7 - Processes for identifying and addressing AI risks and impacts MANAGE 2.2 - Mechanisms are in place to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM03:2025 - Supply Chain

Frequently Asked Questions

What is CVE-2022-35918?

Streamlit apps using custom components allow unauthenticated attackers to read arbitrary server files — including API keys, credentials, and model configs — via crafted URLs. Upgrade to 1.11.1 immediately; no workarounds exist. Treat this as high-priority if your ML teams run Streamlit on servers co-located with LLM API keys, cloud credentials, or training data.

Is CVE-2022-35918 actively exploited?

No confirmed active exploitation of CVE-2022-35918 has been reported, but organizations should still patch proactively.

How to fix CVE-2022-35918?

1. Upgrade to Streamlit >= 1.11.1 — patching is the only fix. 2. Audit running versions: `pip show streamlit | grep Version` across all environments. 3. Search logs for path traversal patterns: ../, %2e%2e%2f, and double-encoded variants in URL parameters. 4. Rotate any secrets (LLM API keys, DB credentials, cloud tokens) accessible on affected servers. 5. Restrict Streamlit process filesystem permissions to only required directories. 6. Place internal Streamlit instances behind an authenticated reverse proxy.

What systems are affected by CVE-2022-35918?

This vulnerability affects the following AI/ML architecture patterns: ML UI dashboards, model serving interfaces, data science platforms, internal ML tooling, prototype ML deployments.

What is the CVSS score for CVE-2022-35918?

CVE-2022-35918 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 1.40%.

Technical Details

NVD Description

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

Exploitation Scenario

An adversary targeting an ML team discovers an internal Streamlit dashboard via subdomain enumeration or a leaked internal URL. They craft a request with path traversal sequences targeting common credential locations (/home/user/.env, /app/.env, /etc/passwd, ~/.aws/credentials). Since ML pipeline servers often store OpenAI or Anthropic API keys alongside Streamlit apps, a successful traversal yields credentials enabling broader infrastructure compromise — pivoting from a data science UI to cloud account takeover.