A critical flaw in Streamlit, a widely used open-source framework for building data apps, has exposed users to serious cloud account takeover risks.
Discovered in February 2025, the vulnerability stems from the st.file_uploader component, which allowed attackers to bypass file type restrictions and gain unauthorized access to cloud systems running Streamlit applications.
The issue arose because file type checks were only enforced on the client side using JavaScript, without proper server-side validation. Security researchers demonstrated how tools like Burp Suite could be used to intercept upload requests and alter file extensions, disguising malicious files (e.g., renaming malicious.exe to .pdf) to bypass the frontend restrictions.
In their proof-of-concept, researchers showed how attackers could escalate the threat to directory traversal attacks by modifying file names (e.g., to ../../.ssh/authorized_keys) and overwriting key system files. This method enabled passwordless SSH access to affected cloud instances.
The attack process typically involves scanning for publicly exposed Streamlit apps, intercepting file upload requests, injecting malicious SSH keys, and gaining control of the cloud environment. Once inside, attackers can explore the infrastructure and manipulate critical data pipelines.
The threat is especially concerning for financial institutions. Streamlit is commonly used to build tools like stock dashboards and machine learning models. If compromised, attackers could manipulate dashboard scripts, databases, and financial data visualizations, potentially leading to undetected market interference.
Cato Networks warned that tampering with financial dashboards could affect automated trading systems, influence market sentiment, and mislead investors. They noted that false data could trigger alerts, alter risk models, and prompt rapid portfolio changes.
Streamlit has since released version 1.43.2, which includes a fix by enforcing server-side file-type validation. Meanwhile, Cato Networks updated its SASE Cloud Platform to better detect unauthorized uploads and unusual file paths.
Organizations are strongly advised to tighten network access controls and apply patches to protect web applications hosted in the cloud.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
