Arbitrary File Upload Affecting streamlit package, versions [,1.43.2)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsSnyk Learn
Learn about Arbitrary File Upload vulnerabilities in an interactive lesson.
Start learning- Snyk IDSNYK-PYTHON-STREAMLIT-8749606
- published30 Mar 2025
- disclosed25 Feb 2025
- creditSn1r
Introduced: 25 Feb 2025
CVE-2025-1684 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade streamlit to version 1.43.2 or higher.
Overview
streamlit is a The fastest way to build data apps in Python
Affected versions of this package are vulnerable to Arbitrary File Upload in the file_uploader.py widget, which does not enforce uploaded file type restrictions on the server side, even if they are set in the client.