CVE-2024-41118

Name of the Vulnerable Software and Affected Versions streamlit-geospatial versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489

Description The issue allows for blind server-side request forgery due to the url variable taking user input, which is then used by the get wms layer method to create requests to arbitrary destinations. This occurs in the get layers function, specifically on line 47 of pages/7 📦 Web Map Service.py.

Recommendations For versions prior to commit c4f81d9616d40c60584e36abb15300853a66e489, update to a version that includes the fix from commit c4f81d9616d40c60584e36abb15300853a66e489 to resolve the issue. As a temporary workaround, consider restricting the use of the get wms layer method or validating the url variable to prevent arbitrary requests.