CVE-2024-41118 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

A critical unauthenticated SSRF in streamlit-geospatial allows any remote attacker to force the server to make arbitrary HTTP requests — including to cloud metadata endpoints (AWS/GCP/Azure IMDS) that expose IAM credentials. Any internet-exposed instance is fully compromised with zero effort. Patch immediately to commit c4f81d9616d40c60584e36abb15300853a66e489 or take the Web Map Service page offline until patched.

Risk Assessment

CRITICAL. CVSS 9.8 with no authentication, no user interaction, and network-accessible attack surface. Cloud-hosted deployments face the highest risk: SSRF reliably harvests temporary IAM credentials from metadata services, enabling full cloud account takeover. Public PoC exists via GitHub Security Lab advisory, placing this within reach of low-skill attackers. Streamlit apps are frequently deployed in data science environments with broad cloud IAM permissions, amplifying blast radius significantly.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
streamlit-geospatial	pip	—	No patch
44.4K OpenSSF 7.2 2.8K dependents Pushed 7d ago 8% patched ~0d to patch Full package profile →

Do you use streamlit-geospatial? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 44% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

PATCH

Apply commit c4f81d9616d40c60584e36abb15300853a66e489, which adds URL allowlisting to the WMS endpoint.
ISOLATE

If patching is delayed, disable or restrict access to the Web Map Service page to authenticated internal users only.
EGRESS FILTER

Block outbound requests from the application server to IMDS endpoints (169.254.169.254, 100.100.100.200, fd00:ec2::254) and internal RFC1918 ranges.
DETECT

Alert on outbound HTTP from the Streamlit process to internal IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and metadata addresses.
AUDIT

If the instance was internet-exposed prior to patching, review cloud IAM audit logs for anomalous credential use and rotate any potentially exposed credentials immediately.

CISA SSVC Assessment

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Privacy Violation Framework API AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.9.2 - AI System Security Controls

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied

OWASP LLM Top 10

LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-41118?

A critical unauthenticated SSRF in streamlit-geospatial allows any remote attacker to force the server to make arbitrary HTTP requests — including to cloud metadata endpoints (AWS/GCP/Azure IMDS) that expose IAM credentials. Any internet-exposed instance is fully compromised with zero effort. Patch immediately to commit c4f81d9616d40c60584e36abb15300853a66e489 or take the Web Map Service page offline until patched.

Is CVE-2024-41118 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-41118, increasing the risk of exploitation.

How to fix CVE-2024-41118?

1. PATCH: Apply commit c4f81d9616d40c60584e36abb15300853a66e489, which adds URL allowlisting to the WMS endpoint. 2. ISOLATE: If patching is delayed, disable or restrict access to the Web Map Service page to authenticated internal users only. 3. EGRESS FILTER: Block outbound requests from the application server to IMDS endpoints (169.254.169.254, 100.100.100.200, fd00:ec2::254) and internal RFC1918 ranges. 4. DETECT: Alert on outbound HTTP from the Streamlit process to internal IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and metadata addresses. 5. AUDIT: If the instance was internet-exposed prior to patching, review cloud IAM audit logs for anomalous credential use and rotate any potentially exposed credentials immediately.

What systems are affected by CVE-2024-41118?

This vulnerability affects the following AI/ML architecture patterns: ML UI and dashboards, Streamlit-based data science apps, Geospatial AI applications, Cloud-hosted ML platforms, Multi-tenant AI serving infrastructure.

What is the CVSS score for CVE-2024-41118?

CVE-2024-41118 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.21%.

Technical Details

NVD Description

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 47 of `pages/7_📦_Web_Map_Service.py` takes user input, which is passed to `get_layers` function, in which `url` is used with `get_wms_layer` method. `get_wms_layer` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Exploitation Scenario

An attacker enumerates internet-exposed Streamlit applications via Shodan or passive DNS. Upon finding a streamlit-geospatial instance, they navigate to the Web Map Service page and submit a crafted WMS URL targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server issues the request, and the attacker receives temporary AWS IAM credentials tied to the instance role. Depending on IAM permissions — common in data science environments — the attacker accesses S3 buckets containing ML training datasets, model artifacts, or proprietary customer data, or escalates to broader AWS account compromise. The entire chain takes under five minutes with no authentication.