Advisory ID: STREAMLIT-2022-001

Streamlit Security Advisory

Issue date: 20 January 2022


On January 5th, 2022, we learned of a potential vulnerability in the Streamlit Cloud platform that was introduced with the release of a new feature on 11/30/2021. After a thorough internal analysis, we have found no evidence of malicious activity during this period. We patched the vulnerability as of January 5th and we have taken additional measures to protect our users.

What was the issue?

During this period, a user who was invited to a Streamlit app may have been able to see a wider list of Streamlit apps within the same workspace than they had been invited to view. As expected, users would have seen a list of all public apps and apps they had been invited to in a workspace. However, users would have also seen a list of other private apps within the workspace that had at least one invited viewer. This was a very small edge case in our code that only impacted a handful of workspaces and viewers.

Note that unless explicitly invited, even though such users could list those apps (i.e. view app metadata), they could not access the apps themselves (i.e. view their contents or interact with them). The metadata that was visible was limited to GitHub organization, repository name, branch, and file name associated with each app.

How was it discovered?

This vulnerability was discovered by our internal staff during QA.

How did we respond?

Within hours of detection, we released a change to mitigate this issue by correcting the filtering criteria used for listing apps in a Streamlit Cloud workspace.

Who was impacted?

Any users who shared an app since 11/30/2021 may have been impacted. In many cases, apps are often shared within an organization or with trusted third parties. The information disclosed is metadata about Streamlit apps, and is usually not sensitive. Out of an abundance of caution, we’ve decided to disclose this as an advisory.

How are we preventing such issues going forward?

In response to this incident, we are re-evaluating our processes and tooling for handling database queries and improving our testing practices. Finally, we’re improving our deployment tooling and processes to more quickly mitigate issues in the future.