📣 Calling all data lovers and AI/ML engineers! Join Dev Day in San Francisco on June 6th (for free!)

Advisory ID: STREAMLIT-2022-002

Streamlit Security Advisory

Streamlit open source addresses directory traversal vulnerability.
CVSSv3 range: 6.5
Issue date: 27 July 2022
CVE(S): CVE-2022-35918

1. Impacted Products

Streamilt Open Source

2. Introduction

On July 27th, 2022 at 4:57 AM PST, the Streamlit Security team learned of a vulnerability in the Streamlit open source library. We subsequently released a patch for this vulnerability on July 27th, 2022 at 2:20PM PST. All users should immediately upgrade their Streamlit Open Source code to version 1.11.1

The vulnerability does not affect Streamlit Cloud.

3. Directory Traversal Vulnerability

3.1 Description

Streamlit was informed via our support email of a directory traversal vulnerability in our open source code that uses custom components. Streamlit has evaluated the severity of the issue and determined it was in the moderate range with a maximum CVSSv3 base score of 6.5

3.2 Scenarios and attack vector(s)

Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.

An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

3.3 Our response and next steps

On July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever we can.

Finally, as a general security practice, we recommend users review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.

3.4 Resolution

Please upgrade your Streamlit to the latest version: 1.11.1.

3.5 Workarounds

None.

4. Contact

Please contact security@streamlit.io for any questions. Please report any security issues via HackerOne as per our policy.