AI Threat Alert

CVE-2024-41120: streamlit-geospatial: blind SSRF via unvalidated URL input

CRITICAL PoC AVAILABLE CISA: ATTEND
Published July 26, 2024
CISO Take

A critical blind SSRF (CVSS 9.8) in streamlit-geospatial allows unauthenticated attackers to force the server to fetch arbitrary URLs — including cloud instance metadata endpoints and internal services. Any team with a public-facing instance must patch immediately or take it offline. Cloud-hosted instances (EC2, GCE, AKS) are at highest risk: SSRF to AWS IMDSv1 yields IAM credentials, turning a UI bug into a full cloud compromise.

What is the risk?

Critical risk. No authentication required, no user interaction, network-accessible — maximum exploitability. The SSRF is blind but highly impactful: attackers can probe internal networks, harvest cloud credentials via IMDS, and pivot laterally. Organizations running this on cloud infrastructure face credential theft risk. Public deployments on Streamlit Cloud or HuggingFace Spaces are especially exposed given zero-barrier discovery. IMDSv1 environments are trivially exploitable to full account takeover.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Streamlit pip No patch
45.0K OpenSSF 7.2 2.9K dependents Pushed 3d ago 7% patched ~0d to patch Full package profile →

Do you use Streamlit? You're affected.

How severe is it?

CVSS 3.1
9.8 / 10
EPSS
0.8%
chance of exploitation in 30 days
Higher than 51% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I High
A High

What should I do?

6 steps

  1. Patch: Update to commit c4f81d9616d40c60584e36abb15300853a66e489 or any later release.

  2. Immediate workaround if patching is delayed: gate the Vector Data Visualization page behind authentication or disable the page entirely.

  3. Network control: block outbound HTTP/HTTPS from the Streamlit process to RFC-1918 ranges and link-local (169.254.0.0/16).

  4. AWS hardening: enforce IMDSv2 (hop limit 1) on all instances hosting Streamlit apps.

  5. Detection: alert on outbound requests from the app process targeting 169.254.169.254, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.

  6. Audit: grep all internal Streamlit apps for gpd.read_file and similar patterns accepting user-supplied URLs.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Framework API AML.T0006 AML.T0025 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.5 - AI system input controls
NIST AI RMF
MANAGE-2.2 - AI risk controls and residual risk are evaluated
OWASP LLM Top 10
OWASP-A10:2021 - Server-Side Request Forgery

Frequently Asked Questions

What is CVE-2024-41120?

A critical blind SSRF (CVSS 9.8) in streamlit-geospatial allows unauthenticated attackers to force the server to fetch arbitrary URLs — including cloud instance metadata endpoints and internal services. Any team with a public-facing instance must patch immediately or take it offline. Cloud-hosted instances (EC2, GCE, AKS) are at highest risk: SSRF to AWS IMDSv1 yields IAM credentials, turning a UI bug into a full cloud compromise.

Is CVE-2024-41120 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-41120, increasing the risk of exploitation.

How to fix CVE-2024-41120?

1. Patch: Update to commit c4f81d9616d40c60584e36abb15300853a66e489 or any later release. 2. Immediate workaround if patching is delayed: gate the Vector Data Visualization page behind authentication or disable the page entirely. 3. Network control: block outbound HTTP/HTTPS from the Streamlit process to RFC-1918 ranges and link-local (169.254.0.0/16). 4. AWS hardening: enforce IMDSv2 (hop limit 1) on all instances hosting Streamlit apps. 5. Detection: alert on outbound requests from the app process targeting 169.254.169.254, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. 6. Audit: grep all internal Streamlit apps for `gpd.read_file` and similar patterns accepting user-supplied URLs.

What systems are affected by CVE-2024-41120?

This vulnerability affects the following AI/ML architecture patterns: geospatial ML applications, Streamlit-based ML UIs, data science visualization platforms, cloud-hosted AI demos and internal portals, MLOps tooling with shared internal network access.

What is the CVSS score for CVE-2024-41120?

CVE-2024-41120 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.79%.

What is the AI security impact?

Affected AI Architectures

geospatial ML applicationsStreamlit-based ML UIsdata science visualization platformscloud-hosted AI demos and internal portalsMLOps tooling with shared internal network access

MITRE ATLAS Techniques

AML.T0006 Active Scanning
AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.2.5
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: OWASP-A10:2021

What are the technical details?

Original Advisory

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 63 of `pages/9_🔲_Vector_Data_Visualization.py` takes user input, which is later passed to the `gpd.read_file` method. `gpd.read_file` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Exploitation Scenario

Attacker discovers a public streamlit-geospatial instance via Shodan or by searching Streamlit Cloud. Without credentials, they navigate to the Vector Data Visualization page and submit `http://169.254.169.254/latest/meta-data/iam/security-credentials/` as the URL input. The server fetches it via `gpd.read_file()` and the response surfaces in the app. The attacker extracts temporary IAM credentials, then uses them to enumerate and exfiltrate S3 buckets containing training datasets, model weights, or customer data — escalating from a trivial UI interaction to a full cloud breach.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-20 Improper Input Validation

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Timeline

Published
July 26, 2024
Last Modified
November 21, 2024
First Seen
July 26, 2024

Related Vulnerabilities

CRITICAL CVE-2024-41115 9.8

streamlit-geospatial: eval() injection enables RCE

Same package: streamlit
CRITICAL CVE-2024-41113 9.8

streamlit-geospatial: RCE via eval() in Timelapse page

Same package: streamlit
CRITICAL CVE-2024-41114 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41112 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41116 9.8

streamlit-geospatial: RCE via eval() injection

Same package: streamlit
Back to Threat Feed