AI Threat Alert

CVE-2024-42474: Streamlit: path traversal leaks Windows NTLM hash

MEDIUM PoC AVAILABLE
Published August 12, 2024
CISO Take

Streamlit deployments on Windows with static file sharing enabled expose the running user's NTLM password hash to any low-privileged attacker. That hash can be cracked offline or weaponized in pass-the-hash attacks for lateral movement. Patch to v1.37.0 immediately and audit whether static file sharing is active across your data science environment.

What is the risk?

CVSS 6.5 understates enterprise risk. Streamlit is pervasive in data science teams on Windows workstations and servers, frequently running under domain accounts with elevated privileges for database or GPU access. An exposed NTLM hash enables offline brute-force or direct pass-the-hash attacks, potentially granting access to broader enterprise resources. Risk escalates significantly in domain-joined environments where a single compromised account can cascade. The low attack complexity and no user interaction requirement mean exploitation is straightforward once a vulnerable instance is identified.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Streamlit pip No patch
45.0K OpenSSF 7.2 2.9K dependents Pushed 3d ago 7% patched ~0d to patch Full package profile →

Do you use Streamlit? You're affected.

How severe is it?

CVSS 3.1
6.5 / 10
EPSS
0.6%
chance of exploitation in 30 days
Higher than 43% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

What should I do?

6 steps

  1. Patch: Upgrade Streamlit to v1.37.0 or later immediately—this is the only complete fix.

  2. Disable: If patching is delayed, set enableStaticServing = false in .streamlit/config.toml or via environment variable STREAMLIT_SERVER_ENABLE_STATIC_SERVING=false.

  3. Audit: Inventory all Streamlit deployments on Windows; grep config files and startup scripts for enableStaticServing.

  4. Network controls: Block outbound SMB (TCP 445/139) from Streamlit hosts to prevent NTLM relay to attacker-controlled servers.

  5. Monitor: Alert on path traversal patterns (../, ..\, URL-encoded variants) in static file request logs.

  6. Rotate credentials: If exposure is suspected on any host, rotate credentials for accounts that ran Streamlit and check for lateral movement indicators.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Leakage Auth Bypass Framework API AML.T0025 AML.T0049 AML.T0055 AML.T0106

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Information security for AI systems
NIST AI RMF
MANAGE-2.2 - Mechanisms are in place and applied to sustain the value of AI and to manage associated risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2024-42474?

Streamlit deployments on Windows with static file sharing enabled expose the running user's NTLM password hash to any low-privileged attacker. That hash can be cracked offline or weaponized in pass-the-hash attacks for lateral movement. Patch to v1.37.0 immediately and audit whether static file sharing is active across your data science environment.

Is CVE-2024-42474 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-42474, increasing the risk of exploitation.

How to fix CVE-2024-42474?

1. Patch: Upgrade Streamlit to v1.37.0 or later immediately—this is the only complete fix. 2. Disable: If patching is delayed, set enableStaticServing = false in .streamlit/config.toml or via environment variable STREAMLIT_SERVER_ENABLE_STATIC_SERVING=false. 3. Audit: Inventory all Streamlit deployments on Windows; grep config files and startup scripts for enableStaticServing. 4. Network controls: Block outbound SMB (TCP 445/139) from Streamlit hosts to prevent NTLM relay to attacker-controlled servers. 5. Monitor: Alert on path traversal patterns (../, ..\, URL-encoded variants) in static file request logs. 6. Rotate credentials: If exposure is suspected on any host, rotate credentials for accounts that ran Streamlit and check for lateral movement indicators.

What systems are affected by CVE-2024-42474?

This vulnerability affects the following AI/ML architecture patterns: ML demo applications, model serving, data science internal tooling, ML prototyping environments.

What is the CVSS score for CVE-2024-42474?

CVE-2024-42474 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.57%.

What is the AI security impact?

Affected AI Architectures

ML demo applicationsmodel servingdata science internal toolingML prototyping environments

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0106 Exploitation for Credential Access

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

Streamlit is a data oriented application development framework for python. Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows.

Exploitation Scenario

An adversary with any authenticated access to a Streamlit app (legitimate user, insider, or anyone who can reach the endpoint) crafts a path traversal request targeting the static file serving endpoint. On Windows, this can reference a UNC path (e.g., \\attacker-controlled-server\share\file), forcing the Windows host to initiate NTLM authentication to the attacker's server. Using a tool like Responder, the attacker captures the NTLMv2 hash. They either crack it offline using a GPU cluster if the password is weak, or relay it directly in a pass-the-hash attack against other Windows systems in the environment. In an AI/ML context, the Streamlit host almost certainly has access to training data stores, model registries, MLflow tracking servers, or database credentials—making it an ideal lateral movement pivot into the broader AI infrastructure.

Weaknesses (CWE)

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Primary CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'): The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

  • [Implementation] Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue." Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylis
  • [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
August 12, 2024
Last Modified
September 16, 2024
First Seen
August 12, 2024

Related Vulnerabilities

CRITICAL CVE-2024-41115 9.8

streamlit-geospatial: eval() injection enables RCE

Same package: streamlit
CRITICAL CVE-2024-41113 9.8

streamlit-geospatial: RCE via eval() in Timelapse page

Same package: streamlit
CRITICAL CVE-2024-41114 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41112 9.8

streamlit-geospatial: RCE via eval() on palette input

Same package: streamlit
CRITICAL CVE-2024-41116 9.8

streamlit-geospatial: RCE via eval() injection

Same package: streamlit
Back to Threat Feed