CVE-2024-41120 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

A critical blind SSRF (CVSS 9.8) in streamlit-geospatial allows unauthenticated attackers to force the server to fetch arbitrary URLs — including cloud instance metadata endpoints and internal services. Any team with a public-facing instance must patch immediately or take it offline. Cloud-hosted instances (EC2, GCE, AKS) are at highest risk: SSRF to AWS IMDSv1 yields IAM credentials, turning a UI bug into a full cloud compromise.

Risk Assessment

Critical risk. No authentication required, no user interaction, network-accessible — maximum exploitability. The SSRF is blind but highly impactful: attackers can probe internal networks, harvest cloud credentials via IMDS, and pivot laterally. Organizations running this on cloud infrastructure face credential theft risk. Public deployments on Streamlit Cloud or HuggingFace Spaces are especially exposed given zero-barrier discovery. IMDSv1 environments are trivially exploitable to full account takeover.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
streamlit-geospatial	pip	—	No patch
44.5K OpenSSF 7.2 2.8K dependents Pushed today 8% patched ~0d to patch Full package profile →

Do you use streamlit-geospatial? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 47% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

Patch: Update to commit c4f81d9616d40c60584e36abb15300853a66e489 or any later release.
Immediate workaround if patching is delayed: gate the Vector Data Visualization page behind authentication or disable the page entirely.
Network control: block outbound HTTP/HTTPS from the Streamlit process to RFC-1918 ranges and link-local (169.254.0.0/16).
AWS hardening: enforce IMDSv2 (hop limit 1) on all instances hosting Streamlit apps.
Detection: alert on outbound requests from the app process targeting 169.254.169.254, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16.
Audit: grep all internal Streamlit apps for gpd.read_file and similar patterns accepting user-supplied URLs.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Framework API AML.T0006 - Active Scanning AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.5 - AI system input controls

NIST AI RMF

MANAGE-2.2 - AI risk controls and residual risk are evaluated

OWASP LLM Top 10

OWASP-A10:2021 - Server-Side Request Forgery

Frequently Asked Questions

What is CVE-2024-41120?

A critical blind SSRF (CVSS 9.8) in streamlit-geospatial allows unauthenticated attackers to force the server to fetch arbitrary URLs — including cloud instance metadata endpoints and internal services. Any team with a public-facing instance must patch immediately or take it offline. Cloud-hosted instances (EC2, GCE, AKS) are at highest risk: SSRF to AWS IMDSv1 yields IAM credentials, turning a UI bug into a full cloud compromise.

Is CVE-2024-41120 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-41120, increasing the risk of exploitation.

How to fix CVE-2024-41120?

1. Patch: Update to commit c4f81d9616d40c60584e36abb15300853a66e489 or any later release. 2. Immediate workaround if patching is delayed: gate the Vector Data Visualization page behind authentication or disable the page entirely. 3. Network control: block outbound HTTP/HTTPS from the Streamlit process to RFC-1918 ranges and link-local (169.254.0.0/16). 4. AWS hardening: enforce IMDSv2 (hop limit 1) on all instances hosting Streamlit apps. 5. Detection: alert on outbound requests from the app process targeting 169.254.169.254, 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. 6. Audit: grep all internal Streamlit apps for `gpd.read_file` and similar patterns accepting user-supplied URLs.

What systems are affected by CVE-2024-41120?

This vulnerability affects the following AI/ML architecture patterns: geospatial ML applications, Streamlit-based ML UIs, data science visualization platforms, cloud-hosted AI demos and internal portals, MLOps tooling with shared internal network access.

What is the CVSS score for CVE-2024-41120?

CVE-2024-41120 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.24%.

Technical Details

NVD Description

streamlit-geospatial is a streamlit multipage app for geospatial applications. Prior to commit c4f81d9616d40c60584e36abb15300853a66e489, the `url` variable on line 63 of `pages/9_🔲_Vector_Data_Visualization.py` takes user input, which is later passed to the `gpd.read_file` method. `gpd.read_file` method creates a request to arbitrary destinations, leading to blind server-side request forgery. Commit c4f81d9616d40c60584e36abb15300853a66e489 fixes this issue.

Exploitation Scenario

Attacker discovers a public streamlit-geospatial instance via Shodan or by searching Streamlit Cloud. Without credentials, they navigate to the Vector Data Visualization page and submit `http://169.254.169.254/latest/meta-data/iam/security-credentials/` as the URL input. The server fetches it via `gpd.read_file()` and the response surfaces in the app. The attacker extracts temporary IAM credentials, then uses them to enumerate and exfiltrate S3 buckets containing training datasets, model weights, or customer data — escalating from a trivial UI interaction to a full cloud breach.