streamlit 1.11.1rc1 vulnerabilities

Known vulnerabilities in the streamlit package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Arbitrary File Upload streamlit is a The fastest way to build data apps in Python Affected versions of this package are vulnerable to Arbitrary File Upload in the `file_uploader.py` widget, which does not enforce uploaded file type restrictions on the server side, even if they are set in the client. How to fix Arbitrary File Upload? Upgrade `streamlit` to version 1.43.2 or higher.	[,1.43.2)
M Path Traversal streamlit is a The fastest way to build data apps in Python Affected versions of this package are vulnerable to Path Traversal via the static file sharing feature. An attacker can leak the password hash of the Windows user running `Streamlit`. Note: The vulnerability only affects Windows. How to fix Path Traversal? Upgrade `streamlit` to version 1.37.0 or higher.	[,1.37.0)
M Directory Traversal streamlit is a The fastest way to build data apps in Python Affected versions of this package are vulnerable to Directory Traversal due to insufficient validation of user-supplied input in custom components. An attacker can access sensitive files on the server by manipulating input to traverse directories. This is a case left over from the fix for CVE-2022-35918 in version 1.11.1. How to fix Directory Traversal? Upgrade `streamlit` to version 1.30.0 or higher.	[0.63.0,1.30.0)
M Improper Output Neutralization for Logs streamlit is a The fastest way to build data apps in Python Affected versions of this package are vulnerable to Improper Output Neutralization for Logs when the function `upload_file_request_handler.py` returns 400 error including the `session_id` value. How to fix Improper Output Neutralization for Logs? Upgrade `streamlit` to version 1.27.0 or higher.	[,1.27.0)
M Directory Traversal streamlit is a The fastest way to build data apps in Python Affected versions of this package are vulnerable to Directory Traversal in the `ComponentRequestHandler` class in `components/v1/components.py` that can reveal data from the web server including server logs and world-readable files that are not intended to be accessible outside the custom component, when processing a crafted URL. How to fix Directory Traversal? Upgrade `streamlit` to version 1.11.1 or higher.	[0.63.0,1.11.1)

Vulnerability

Vulnerable Version

Arbitrary File Upload

streamlit is a The fastest way to build data apps in Python

Affected versions of this package are vulnerable to Arbitrary File Upload in the file_uploader.py widget, which does not enforce uploaded file type restrictions on the server side, even if they are set in the client.

How to fix Arbitrary File Upload?

Upgrade streamlit to version 1.43.2 or higher.

[,1.43.2)

Path Traversal

streamlit is a The fastest way to build data apps in Python

Affected versions of this package are vulnerable to Path Traversal via the static file sharing feature. An attacker can leak the password hash of the Windows user running Streamlit.

Note: The vulnerability only affects Windows.

How to fix Path Traversal?

Upgrade streamlit to version 1.37.0 or higher.

[,1.37.0)

Directory Traversal

streamlit is a The fastest way to build data apps in Python

Affected versions of this package are vulnerable to Directory Traversal due to insufficient validation of user-supplied input in custom components. An attacker can access sensitive files on the server by manipulating input to traverse directories. This is a case left over from the fix for CVE-2022-35918 in version 1.11.1.

How to fix Directory Traversal?

Upgrade streamlit to version 1.30.0 or higher.

[0.63.0,1.30.0)

Improper Output Neutralization for Logs

streamlit is a The fastest way to build data apps in Python

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs when the function upload_file_request_handler.py returns 400 error including the session_id value.

How to fix Improper Output Neutralization for Logs?

Upgrade streamlit to version 1.27.0 or higher.

[,1.27.0)

Directory Traversal

streamlit is a The fastest way to build data apps in Python

Affected versions of this package are vulnerable to Directory Traversal in the ComponentRequestHandler class in components/v1/components.py that can reveal data from the web server including server logs and world-readable files that are not intended to be accessible outside the custom component, when processing a crafted URL.

How to fix Directory Traversal?

Upgrade streamlit to version 1.11.1 or higher.

[0.63.0,1.11.1)

streamlit@1.11.1rc1 vulnerabilities

A faster way to build and share data apps

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?