Search for packages
| purl | pkg:pypi/streamlit@1.16.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2m1a-hkg5-ubfe
Aliases: GHSA-8qw9-gf7w-42x5 GMS-2024-20 |
Minor fix to previous patch for CVE-2022-35918 ### Impact The initial vulnerability identified in Streamlit apps using custom components, allowing for directory traversal attacks, was addressed in version 1.11.1. However, a minor issue persisted, which could still potentially expose certain files on the server file-system under specific conditions. ### Patches We released an update in version 1.30.0 to further tighten security measures. Users are strongly advised to update to version 1.30.0 immediately for optimal security. ### Workarounds No additional workarounds are necessary once the update to version 1.30.0 is applied. ### For more information If you have any questions or comments about this advisory: * Email us at [security@streamlit.io](mailto:security@streamlit.io) |
Affected by 2 other vulnerabilities. |
|
VCID-45nc-3ttz-hqcu
Aliases: CVE-2024-42474 GHSA-rxff-vr5r-8cj5 PYSEC-2024-153 |
Streamlit is a data oriented application development framework for python. Snowflake Streamlit open source addressed a security vulnerability via the static file sharing feature. Users of hosted Streamlit app(s) on Windows were vulnerable to a path traversal vulnerability when the static file sharing feature is enabled. An attacker could utilize the vulnerability to leak the password hash of the Windows user running Streamlit. The vulnerability was patched on Jul 25, 2024, as part of Streamlit open source version 1.37.0. The vulnerability only affects Windows. |
Affected by 1 other vulnerability. |
|
VCID-5936-y57w-xuau
Aliases: CVE-2026-33682 GHSA-7p48-42j8-8846 |
Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure) # Streamlit Open Source Security Advisory ## 1. Impacted Products Streamlit Open Source versions prior to 1.54.0 running on Windows hosts. ## 2. Introduction Snowflake Streamlit Open Source addressed a security vulnerability affecting Windows deployments related to improper handling and validation of filesystem paths within component request handling. The vulnerability was reported through the responsible disclosure program and has been remediated in Streamlit Open Source version 1.54.0. This issue affects only Streamlit deployments running on Windows operating systems. ## 3. Server-Side Request Forgery (SSRF) and NTLM Credential Exposure ### 3.1 Description Streamlit was informed by a security researcher of an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the `ComponentRequestHandler`, filesystem paths are resolved using `os.path.realpath()` or `Path.resolve()` before sufficient validation occurs. On Windows systems, supplying a malicious UNC path (e.g., `\\attacker-controlled-host\share`) can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted. This behavior may allow an attacker to: - Perform NTLM relay attacks against other internal services - Identify internally reachable SMB hosts via timing analysis > **Note:** The issue is unauthenticated and does not require user interaction. Captured NTLMv2 challenge-response hashes could be subjected to offline brute-force attacks in an attempt to recover the associated plaintext account password. While NTLMv2 incorporates a server challenge (nonce) that mitigates the use of precomputed rainbow tables, it does not prevent targeted offline password cracking against weak credentials. Additionally, Microsoft has publicly discouraged the continued use of NTLM in favor of Kerberos and is actively progressing toward disabling NTLM by default in future Windows releases. Organizations that enforce NTLM restrictions, disable outbound NTLM authentication, require SMB signing, or block NTLM authentication to remote servers can reduce or eliminate the risk associated with credential relay or hash exposure scenarios. As NTLM is considered legacy and increasingly deprecated (though not fully sunset), environments that have already implemented Microsoft-recommended NTLM hardening controls are less likely to be materially impacted. The overall risk therefore depends on the organization's authentication configuration and network security posture. ### 3.2 Scenarios and Attack Vectors Streamlit applications running on Windows were vulnerable if component endpoints were exposed to untrusted networks. By appending an attacker-controlled SMB hostname to the URI path and issuing a GET request, the Streamlit server could be coerced into initiating an outbound SMB authentication attempt. This could result in the leakage of NTLMv2 credential hashes for the Windows account running the Streamlit process. ### 3.3 Resolution - The vulnerability has been fixed in Streamlit Open Source version 1.54.0. - It is recommended that all Streamlit deployments on Windows be upgraded immediately to version 1.54.0 or later. ## 4. Contact Please contact [security@snowflake.com](mailto:security@snowflake.com) for any questions regarding this advisory. If a security vulnerability is discovered in a Streamlit product or website, it should be reported through the responsible disclosure program. For more information, see the [Vulnerability Disclosure Policy](https://hackerone.com/snowflake). |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T07:34:38.164241+00:00 | GitLab Importer | Affected by | VCID-5936-y57w-xuau | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/streamlit/CVE-2026-33682.yml | 38.6.0 |
| 2026-06-06T05:17:36.279372+00:00 | GitLab Importer | Affected by | VCID-45nc-3ttz-hqcu | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/streamlit/CVE-2024-42474.yml | 38.6.0 |
| 2026-06-06T04:30:44.715192+00:00 | GitLab Importer | Affected by | VCID-2m1a-hkg5-ubfe | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/pypi/streamlit/GMS-2024-20.yml | 38.6.0 |
| 2026-06-05T17:03:57.109716+00:00 | PyPI Importer | Affected by | VCID-45nc-3ttz-hqcu | https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip | 38.6.0 |
| 2026-06-02T04:21:41.241268+00:00 | Pypa Importer | Affected by | VCID-45nc-3ttz-hqcu | https://github.com/pypa/advisory-database/blob/main/vulns/streamlit/PYSEC-2024-153.yaml | 38.6.0 |