CVE-2024-41116
📋 TL;DR
This vulnerability allows remote code execution in streamlit-geospatial applications by exploiting unsafe eval() usage with user-controlled input. Attackers can execute arbitrary code on affected systems, potentially compromising the entire server. Anyone using streamlit-geospatial versions before the fix commit is affected.
💻 Affected Systems
- streamlit-geospatial
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attackers to execute arbitrary commands, steal data, install malware, or pivot to other systems in the network.
Likely Case
Remote code execution leading to data exfiltration, service disruption, or cryptocurrency mining operations on vulnerable servers.
If Mitigated
No impact if the vulnerable code path is not accessible or proper input validation prevents exploitation.
🎯 Exploit Status
The vulnerability is straightforward to exploit as it involves direct eval() of user input. Public advisories provide technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit c4f81d9616d40c60584e36abb15300853a66e489
Vendor Advisory: https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
Restart Required: Yes
Instructions:
1. Update to the latest streamlit-geospatial version containing commit c4f81d9616d40c60584e36abb15300853a66e489. 2. Restart the streamlit application. 3. Verify the vulnerable eval() call has been removed or properly sanitized.
🔧 Temporary Workarounds
Disable Timelapse Page
allRemove or disable the vulnerable Timelapse.py page from the application
mv pages/1_📷_Timelapse.py pages/1_📷_Timelapse.py.disabled
Input Validation Wrapper
allAdd input validation to sanitize vis_params before eval() usage
# Add validation function to check vis_params contains only safe characters
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the streamlit application
- Deploy web application firewall (WAF) rules to block suspicious eval() payloads
🔍 How to Verify
Check if Vulnerable:
Check if your streamlit-geospatial version contains the vulnerable eval() call at line 1345 in pages/1_📷_Timelapse.pyCheck Version:
git log --oneline | grep c4f81d9616d40c60584e36abb15300853a66e489Verify Fix Applied:
Verify commit c4f81d9616d40c60584e36abb15300853a66e489 is present in your git history and the eval() call has been removed or secured📡 Detection & Monitoring
Log Indicators:
- Unusual Python code execution in streamlit logs
- Suspicious import statements or system calls in application logs
Network Indicators:
- HTTP POST requests containing Python code snippets to the Timelapse endpoint
SIEM Query:
source="streamlit.logs" AND "eval" AND ("import os" OR "import subprocess" OR "__import__")🔗 References
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L1254
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L1345
- https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
- https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L1254
- https://github.com/opengeos/streamlit-geospatial/blob/4b89495f3bdd481998aadf1fc74b10de0f71c237/pages/1_%F0%9F%93%B7_Timelapse.py#L1345
- https://github.com/opengeos/streamlit-geospatial/commit/c4f81d9616d40c60584e36abb15300853a66e489
- https://securitylab.github.com/advisories/GHSL-2024-100_GHSL-2024-108_streamlit-geospatial/
