AI Threat Alert

CVE-2024-41118: streamlit-geospatial: blind SSRF via WMS URL input

CRITICAL PoC AVAILABLE CISA: TRACK*
Published July 26, 2024
CISO Take

A critical unauthenticated SSRF in streamlit-geospatial allows any remote attacker to force the server to make arbitrary HTTP requests — including to cloud metadata endpoints (AWS/GCP/Azure IMDS) that expose IAM credentials. Any internet-exposed instance is fully compromised with zero effort. Patch immediately to commit c4f81d9616d40c60584e36abb15300853a66e489 or take the Web Map Service page offline until patched.

What is the risk?

CRITICAL. CVSS 9.8 with no authentication, no user interaction, and network-accessible attack surface. Cloud-hosted deployments face the highest risk: SSRF reliably harvests temporary IAM credentials from metadata services, enabling full cloud account takeover. Public PoC exists via GitHub Security Lab advisory, placing this within reach of low-skill attackers. Streamlit apps are frequently deployed in data science environments with broad cloud IAM permissions, amplifying blast radius significantly.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Streamlit pip No patch
45.0K OpenSSF 7.2 2.9K dependents Pushed 3d ago 7% patched ~0d to patch Full package profile →

Do you use Streamlit? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 49% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

5 steps

  1. PATCH

    Apply commit c4f81d9616d40c60584e36abb15300853a66e489, which adds URL allowlisting to the WMS endpoint.

  2. ISOLATE

    If patching is delayed, disable or restrict access to the Web Map Service page to authenticated internal users only.

  3. EGRESS FILTER

    Block outbound requests from the application server to IMDS endpoints (169.254.169.254, 100.100.100.200, fd00:ec2::254) and internal RFC1918 ranges.

  4. DETECT

    Alert on outbound HTTP from the Streamlit process to internal IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and metadata addresses.

  5. AUDIT

    If the instance was internet-exposed prior to patching, review cloud IAM audit logs for anomalous credential use and rotate any potentially exposed credentials immediately.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Privacy Violation Framework API AML.T0006 AML.T0025 AML.T0035 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.2 - AI System Security Controls
NIST AI RMF
MANAGE-2.2 - Mechanisms to sustain the value of deployed AI are evaluated and applied
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2024-41118?

A critical unauthenticated SSRF in streamlit-geospatial allows any remote attacker to force the server to make arbitrary HTTP requests — including to cloud metadata endpoints (AWS/GCP/Azure IMDS) that expose IAM credentials. Any internet-exposed instance is fully compromised with zero effort. Patch immediately to commit c4f81d9616d40c60584e36abb15300853a66e489 or take the Web Map Service page offline until patched.

Is CVE-2024-41118 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-41118, increasing the risk of exploitation.

How to fix CVE-2024-41118?

1. PATCH: Apply commit c4f81d9616d40c60584e36abb15300853a66e489, which adds URL allowlisting to the WMS endpoint. 2. ISOLATE: If patching is delayed, disable or restrict access to the Web Map Service page to authenticated internal users only. 3. EGRESS FILTER: Block outbound requests from the application server to IMDS endpoints (169.254.169.254, 100.100.100.200, fd00:ec2::254) and internal RFC1918 ranges. 4. DETECT: Alert on outbound HTTP from the Streamlit process to internal IPs (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and metadata addresses. 5. AUDIT: If the instance was internet-exposed prior to patching, review cloud IAM audit logs for anomalous credential use and rotate any potentially exposed credentials immediately.

What systems are affected by CVE-2024-41118?

This vulnerability affects the following AI/ML architecture patterns: ML UI and dashboards, Streamlit-based data science apps, Geospatial AI applications, Cloud-hosted ML platforms, Multi-tenant AI serving infrastructure.

What is the CVSS score for CVE-2024-41118?

CVE-2024-41118 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.71%.

What is the AI security impact?

Affected AI Architectures

ML UI and dashboardsStreamlit-based data science appsGeospatial AI applicationsCloud-hosted ML platformsMulti-tenant AI serving infrastructure

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0035 AI Artifact Collection
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.9.2
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 47 of `pages/7_📦_Web_Map_Service.py` takes user input, which is passed to `get_layers` function, in which `url` is used with `get_wms_layer` method. `get_wms_layer` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Exploitation Scenario

An attacker enumerates internet-exposed Streamlit applications via Shodan or passive DNS. Upon finding a streamlit-geospatial instance, they navigate to the Web Map Service page and submit a crafted WMS URL targeting http://169.254.169.254/latest/meta-data/iam/security-credentials/. The server issues the request, and the attacker receives temporary AWS IAM credentials tied to the instance role. Depending on IAM permissions — common in data science environments — the attacker accesses S3 buckets containing ML training datasets, model artifacts, or proprietary customer data, or escalates to broader AWS account compromise. The entire chain takes under five minutes with no authentication.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Server-Side Request Forgery (SSRF)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 26, 2024
Last Modified
November 21, 2024
First Seen
July 26, 2024

Related Vulnerabilities

CRITICAL CVE-2024-41115 9.8

streamlit-geospatial: eval() injection enables RCE

Same package: streamlit
CRITICAL CVE-2024-41113 9.8

streamlit-geospatial: RCE via eval() in Timelapse page

Same package: streamlit
CRITICAL CVE-2024-41114 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41112 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41116 9.8

streamlit-geospatial: RCE via eval() injection

Same package: streamlit
Back to Threat Feed