AI Threat Alert AI Threat Alert

CVE-2024-41115: streamlit-geospatial: eval() injection enables RCE

CRITICAL PoC AVAILABLE CISA: ATTEND
Published July 26, 2024
CISO Take

Any internet-exposed instance of streamlit-geospatial is fully compromised by an unauthenticated attacker with a single HTTP request. The palette parameter is passed raw to Python's eval(), granting arbitrary code execution as the server process. Patch immediately to commit c4f81d9616d or restrict network access — there is no authentication barrier protecting this.

Risk Assessment

Extremely high. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means this is trivially exploitable by anyone with network access, no credentials or user interaction required. Streamlit apps are routinely deployed on internal data science platforms, Jupyter-adjacent infrastructure, and occasionally exposed publicly for demos or collaboration. The eval()-on-user-input pattern is one of the oldest and most well-understood RCE classes — exploit code requires no AI/ML knowledge whatsoever.

Affected Systems

Package Ecosystem Vulnerable Range Patched
streamlit-geospatial pip No patch
44.5K OpenSSF 7.2 2.8K dependents Pushed today 8% patched ~0d to patch Full package profile →

Do you use streamlit-geospatial? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
1.1%
chance of exploitation in 30 days
Higher than 78% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Update to commit c4f81d9616d40c60584e36abb15300853a66e489 immediately.

  2. WORKAROUND (if patching is delayed): Replace eval() with a whitelist-based palette selector that validates input against a predefined list of allowed colormap names — never pass user input to eval(), exec(), or subprocess with shell=True.

  3. NETWORK

    If the app is not required to be public, restrict access via firewall rules or VPN.

  4. DETECTION

    Review web server logs for palette parameter values containing Python builtins (__import__, os, subprocess, open) or non-colormap strings; monitor for unexpected child processes spawned by the Streamlit Python process.

  5. AUDIT

    Inventory all Streamlit-based internal tools for similar eval()/exec() patterns — this vulnerability class is frequently replicated across data science apps.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Data Extraction Framework AML.T0035 AML.T0037 AML.T0049 AML.T0050 AML.T0072

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
6.1.2 - AI Risk Assessment A.6.2.6 - AI System Technical Security Controls
NIST AI RMF
MANAGE-2.2 - Mechanisms for Responding to AI Risks MAP-5.1 - Likelihood and Impact Estimation
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-41115?

Any internet-exposed instance of streamlit-geospatial is fully compromised by an unauthenticated attacker with a single HTTP request. The palette parameter is passed raw to Python's eval(), granting arbitrary code execution as the server process. Patch immediately to commit c4f81d9616d or restrict network access — there is no authentication barrier protecting this.

Is CVE-2024-41115 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-41115, increasing the risk of exploitation.

How to fix CVE-2024-41115?

1. PATCH: Update to commit c4f81d9616d40c60584e36abb15300853a66e489 immediately. 2. WORKAROUND (if patching is delayed): Replace eval() with a whitelist-based palette selector that validates input against a predefined list of allowed colormap names — never pass user input to eval(), exec(), or subprocess with shell=True. 3. NETWORK: If the app is not required to be public, restrict access via firewall rules or VPN. 4. DETECTION: Review web server logs for palette parameter values containing Python builtins (__import__, os, subprocess, open) or non-colormap strings; monitor for unexpected child processes spawned by the Streamlit Python process. 5. AUDIT: Inventory all Streamlit-based internal tools for similar eval()/exec() patterns — this vulnerability class is frequently replicated across data science apps.

What systems are affected by CVE-2024-41115?

This vulnerability affects the following AI/ML architecture patterns: ML/data science web applications, Geospatial ML pipelines, Internal data science platforms, Research and demo environments, MLOps tooling (Streamlit-based).

What is the CVSS score for CVE-2024-41115?

CVE-2024-41115 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.12%.

Technical Details

NVD Description

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `palette` variable on line 488 in `pages/1_📷_Timelapse.py` takes user input, which is later used in the `eval()` function on line 493, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Exploitation Scenario

An adversary scans for Streamlit applications using tool fingerprinting or Shodan queries for Streamlit's default port (8501) or deployment signatures. They navigate to the Timelapse page of streamlit-geospatial and submit a crafted palette value such as: __import__('subprocess').check_output(['id']) or a full reverse shell payload. The server's eval() executes this Python expression server-side with no validation. The attacker receives a shell with the privileges of the Streamlit process, then proceeds to dump environment variables for cloud credentials, exfiltrate model artifacts and training datasets from the filesystem, and establish persistence or pivot to adjacent internal services. The entire attack chain requires no authentication and no prior knowledge of the target environment.

Weaknesses (CWE)

CWE-20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 26, 2024
Last Modified
November 21, 2024
First Seen
July 26, 2024

Related Vulnerabilities

CRITICAL CVE-2024-41116 9.8

streamlit-geospatial: RCE via eval() injection

Same package: streamlit
CRITICAL CVE-2024-41113 9.8

streamlit-geospatial: RCE via eval() in Timelapse page

Same package: streamlit
CRITICAL CVE-2024-41114 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41112 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41117 9.8

streamlit-geospatial: eval() injection allows RCE

Same package: streamlit
Back to Threat Feed