Update dependency streamlit to v1.54.0 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
streamlit (changelog)	1.52.1 → 1.54.0

GitHub Vulnerability Alerts

CVE-2026-33682

Streamlit Open Source Security Advisory

1. Impacted Products

Streamlit Open Source versions prior to 1.54.0 running on Windows hosts.

2. Introduction

Snowflake Streamlit Open Source addressed a security vulnerability affecting Windows deployments related to improper handling and validation of filesystem paths within component request handling. The vulnerability was reported through the responsible disclosure program and has been remediated in Streamlit Open Source version 1.54.0. This issue affects only Streamlit deployments running on Windows operating systems.

3. Server-Side Request Forgery (SSRF) and NTLM Credential Exposure

3.1 Description

Streamlit was informed by a security researcher of an unauthenticated Server-Side Request Forgery (SSRF) vulnerability. The vulnerability arises from improper validation of attacker-supplied filesystem paths. In certain code paths, including within the ComponentRequestHandler, filesystem paths are resolved using os.path.realpath() or Path.resolve() before sufficient validation occurs.

On Windows systems, supplying a malicious UNC path (e.g., \\attacker-controlled-host\share) can cause the Streamlit server to initiate outbound SMB connections over port 445. When Windows attempts to authenticate to the remote SMB server, NTLMv2 challenge-response credentials of the Windows user running the Streamlit process may be transmitted.

This behavior may allow an attacker to:

• Perform NTLM relay attacks against other internal services
• Identify internally reachable SMB hosts via timing analysis

Note: The issue is unauthenticated and does not require user interaction.

Captured NTLMv2 challenge-response hashes could be subjected to offline brute-force attacks in an attempt to recover the associated plaintext account password. While NTLMv2 incorporates a server challenge (nonce) that mitigates the use of precomputed rainbow tables, it does not prevent targeted offline password cracking against weak credentials.

Additionally, Microsoft has publicly discouraged the continued use of NTLM in favor of Kerberos and is actively progressing toward disabling NTLM by default in future Windows releases. Organizations that enforce NTLM restrictions, disable outbound NTLM authentication, require SMB signing, or block NTLM authentication to remote servers can reduce or eliminate the risk associated with credential relay or hash exposure scenarios.

As NTLM is considered legacy and increasingly deprecated (though not fully sunset), environments that have already implemented Microsoft-recommended NTLM hardening controls are less likely to be materially impacted. The overall risk therefore depends on the organization's authentication configuration and network security posture.

3.2 Scenarios and Attack Vectors

Streamlit applications running on Windows were vulnerable if component endpoints were exposed to untrusted networks. By appending an attacker-controlled SMB hostname to the URI path and issuing a GET request, the Streamlit server could be coerced into initiating an outbound SMB authentication attempt.

This could result in the leakage of NTLMv2 credential hashes for the Windows account running the Streamlit process.

3.3 Resolution

• The vulnerability has been fixed in Streamlit Open Source version 1.54.0.
• It is recommended that all Streamlit deployments on Windows be upgraded immediately to version 1.54.0 or later.

4. Contact

Please contact security@snowflake.com for any questions regarding this advisory.

If a security vulnerability is discovered in a Streamlit product or website, it should be reported through the responsible disclosure program. For more information, see the Vulnerability Disclosure Policy.

---

Release Notes

streamlit/streamlit (streamlit)

v1.54.0

Compare Source

What's Changed

Breaking Changes 🛠

• Remove experimental query params by @​lukasmasuch in #​13142
• Remove deprecated st.experimental_user command by @​lukasmasuch in #​13626
• Set add_rows deprecation warning to show in browser by @​lukasmasuch in #​13628

New Features 🎉

• Use key as main identity for st.dataframe with selections by @​lukasmasuch in #​13558
• Use key as main identity for vega charts with selections by @​lukasmasuch in #​13559
• Add chartDivergingColors theming config option by @​mayagbarnes in #​13581
• Allow dynamically changing in min and max in st.date_input by @​lukasmasuch in #​13549
• Allow dynamically changing min_value and max_value in st.datetime_input when key is provided by @​lukasmasuch in #​13620
• Prepare pandas 3.0 compatibility by @​lukasmasuch in #​13630
• Allow dynamic changes to st.radio options when key is provided by @​lukasmasuch in #​13611
• Support auto-rerun when config.toml is created by @​lukasmasuch in #​13625
• Allow selecting text of pills in the MultiselectColumn and ListColumn by @​lukasmasuch in #​13663
• Prepare for binding widgets to query params - Part 1 by @​mayagbarnes in #​13681
• feat(logo): add support for Material icons and emojis in st.logo by @​rahuld109 in #​13416
• Allow dynamic changes to st.select_slider options when key is provided by @​lukasmasuch in #​13696
• Add "client.showErrorLinks` config option (#​11238)" by @​karubian in #​13472
• Allow dynamic changes to st.pydeck_chart parameters when key is provided by @​lukasmasuch in #​13703
• Support resolving to theme colors configs for charts by @​mayagbarnes in #​13739

Bug Fixes 🐛

• Fix bar chart error with uniform column values by @​sfc-gh-kmcgrady in #​13590
• [fix] Increase max width of uploaded files in st.chat_input by @​sfc-gh-nbellante in #​13589
• [fix] Add defensive check in Manifest Scanner by @​sfc-gh-bnisco in #​13612
• Support new auth features in Starlette by @​lukasmasuch in #​13571
• Hide developer options when toolbarMode="viewer" by @​sfc-gh-dmatthews in #​13623
• Fix SnowflakeConnection.query() cache key to include params by @​sfc-gh-kmcgrady in #​13652
• Fix crash with container elements in spinner context by @​sfc-gh-kmcgrady in #​13659
• Fix a regression with snowflake connection being closed by @​lukasmasuch in #​13665
• Fix TransientNode not capturing BlockNode as anchor when replacing by @​kmcgrady in #​13674
• Fix selectbox and multiselect clearing selections for custom objects by @​lukasmasuch in #​13648
• Fix KeyError when sorting melted bar chart data by @​lukasmasuch in #​13695
• Fix sidebar collapsing on mobile when clicking portaled elements by @​sfc-gh-kmcgrady in #​13653
• [fix] Display wildcard addresses as localhost in URLs by @​sfc-gh-nbellante in #​13720

Other Changes

• [chore] Release v1.53.0 by @​github-actions[bot] in #​13588
• [chore] Release v1.53.1 by @​github-actions[bot] in #​13676

New Contributors

• @​sfc-gh-kmcgrady made their first contribution in #​13590
• @​rahuld109 made their first contribution in #​13416
• @​rishi-kumar0612 made their first contribution in #​13004
• @​karubian made their first contribution in #​13472

Full Changelog: streamlit/streamlit@1.53.1...1.54.0

v1.53.1

Compare Source

Full Changelog: streamlit/streamlit@1.53.0...1.53.1

v1.53.0

Compare Source

What's Changed

Breaking Changes 🛠

• [feat] Move the isolate_styles param in CCv2 by @​sfc-gh-bnisco in #​13518
• [feat] Rename some external CCv2 types by @​sfc-gh-bnisco in #​13515

New Features 🎉

• Support for markdown in the metrics value and delta parameters by @​jensonjohnathon in #​13094
• Make Default Sidebar Width Configurable by @​jose-mindwayai in #​12154
• [feat] Update chat input UI with improved layout and styling by @​sfc-gh-nbellante in #​13088
• Add support for setting metric delta colors from color palette by @​lukasmasuch in #​13153
• Support configuring the format in st.metric by @​lukasmasuch in #​13193
• Support for markdown in select_slider options by @​jensonjohnathon in #​12960
• Navigate to home page on logo click by @​lukasmasuch in #​13222
• Add max_upload_size parameter to file_uploader and chat_input by @​rishabhjain1712 in #​12816
• Allow only adding or deleting rows in st.data_editor by @​lukasmasuch in #​13228
• Add icon_position support for button-like components by @​SiddhantSadangi in #​13150
• [feat] Add headingFontSize1-6 and headingFontWeight1-6 CSS Custom Properties by @​sfc-gh-bnisco in #​13268
• [feat] Enhance st.chat_input file upload UI with improved file chips and retry functionality by @​sfc-gh-nbellante in #​13223
• Add icon support to dialogs by @​KaranPradhan266 in #​13244
• Allow dynamic changes to selectbox options when key is provided by @​lukasmasuch in #​13383
• Add path tooltip on st.json value click by @​lukasmasuch in #​13113
• Support passing list of pydantic objects as dataframe-like structure by @​lukasmasuch in #​13348
• [feat] Update AGENTS rules for better a11y practices by @​sfc-gh-bnisco in #​13411
• [feat] Update eslint rules for better a11y support by @​sfc-gh-bnisco in #​13412
• Expose OIDC tokens by @​velochy in #​12044
• Support pre-defined formats in format of st.slider by @​lukasmasuch in #​13392
• Add on_release to st.cache_resource. by @​sfc-gh-jkinkead in #​13439
• Add gaps and sizes for xxsmall, xsmall, xlarge, xxlarge in st.container/columns/space by @​sfc-gh-tteixeira in #​13345
• Add new session_duration_seconds_total stats by @​vdonato in #​13414
• Add session scoping to caches. by @​sfc-gh-jkinkead in #​13482
• [feat] Simplify chat input UI with single-row layout for basic configurations by @​sfc-gh-nbellante in #​13364
• Add session-scoped connection support. by @​sfc-gh-jkinkead in #​13506
• [feat] Allow for optional js, css, and html params in CCv2 by @​sfc-gh-bnisco in #​13511
• Allow dynamically changing in min, max and step in st.number_input by @​lukasmasuch in #​13512
• Add optional support for running Streamlit with Starlette by @​lukasmasuch in #​13375
• Add SnowflakeCallersRightsConnection. by @​sfc-gh-jkinkead in #​13538
• Allow dynamic changes to multiselect options when key is provided by @​lukasmasuch in #​13448
• fix(multiselect): preserve scroll position when removing items by @​kagawa0710 in #​13384
• Add experimental ASGI app entry point for advanced server configuration by @​lukasmasuch in #​13537
• Allow OAuth redirect_uri to reference current port by @​velochy in #​12251
• Make st.logout use end_session_endpoint if provided in OIDC config (V2) by @​velochy in #​12693
• [feat] Add dynamic layout switching for st.chat_input by @​sfc-gh-nbellante in #​13546

Bug Fixes 🐛

• [fix] improve width/height error message to say "positive integer" by @​sfc-gh-lwilby in #​13206
• Fix unexpected shrinking of logo with top nav by @​lukasmasuch in #​13226
• [fix] Do not render sidebar nav when top nav enabled by @​sfc-gh-bnisco in #​13227
• Implement transient spinners by @​kmcgrady in #​12826
• [fix] Include default in key for CCv2 instances by @​sfc-gh-bnisco in #​13266
• [fix] Ensure key down targeting works for elements in Shadow DOM by @​sfc-gh-bnisco in #​13264
• Fix data editor regression when starting from empty column by @​lukasmasuch in #​13309
• Prevent st.dialog from showing elements from previous dialog by @​lukasmasuch in #​13297
• Fix auth-related issues caused by dependency updates by @​lukasmasuch in #​13333
• [Fix] Theme preference persistence across reloads by @​mayagbarnes in #​13306
• [fix] Handle undefined theme properties in CCv2 by @​sfc-gh-bnisco in #​13240
• [fix] Ensure crossOrigin attribute is properly set for CCv2 stylesheets by @​sfc-gh-bnisco in #​13376
• Fix the spinner time text alignment by @​lukasmasuch in #​13388
• [fix] tooltip text leaking with newlines in help by @​sfc-gh-lwilby in #​13365
• [fix] Ensure anchor links in Markdown headers are accessible from keyboard by @​sfc-gh-bnisco in #​13378
• [fix] Ensure help Tooltips are accessible by @​sfc-gh-bnisco in #​13379
• [Fix] st.html handles list indentation by @​mayagbarnes in #​13437
• [Fix] st.selectbox set via session state does not restore initial value by @​mayagbarnes in #​13438
• [Fix] Altair charts with vconcat and hconcat by @​mayagbarnes in #​13423
• Fix custom theme when embedded with embed_options by @​ranmocy in #​13498
• Improve st.number_input precision by @​mayagbarnes in #​13484
• Add ability to clear transient nodes when the script is run by @​kmcgrady in #​13166
• [fix] Correct justifyContents to justifyContent in Icon styled-components by @​sfc-gh-nbellante in #​13557
• [fix] Fix upload button functionality after drag-drop and delete in st.chat_input by @​sfc-gh-nbellante in #​13556

Other Changes

• [chore] Release v1.52.0 by @​github-actions[bot] in #​13186
• [chore] Release v1.52.1 by @​github-actions[bot] in #​13235
• [Fix] Theme hashing by @​mayagbarnes in #​13173
• Use the correct snowflake.com domains by @​lukasmasuch in #​13363
• [chore] Release v1.52.2 by @​github-actions[bot] in #​13390
• [polish] Update chat input file chip border radius to match Figma by @​sfc-gh-nbellante in #​13532
• [Fix] Consolidate border/hover colors by @​mayagbarnes in #​13536
• [feat] Replace inline error messages with tooltips in st.chat_input file upload UI by @​sfc-gh-nbellante in #​13542
• [fix] Update ghost button colors for st.chat_input buttons by @​sfc-gh-nbellante in #​13535
• [fix] Improve st.chat_input file delete button colors by @​sfc-gh-nbellante in #​13554
• [polish] Replace Mic icon with MicNone icon in st.chat_input by @​sfc-gh-nbellante in #​13553
• [fix] Shorten st.chat_input file chip display to adhere to designs by @​sfc-gh-nbellante in #​13555
• [feat] Add image thumbnails to st.chat_input file uploads by @​sfc-gh-nbellante in #​13547

New Contributors

• @​jensonjohnathon made their first contribution in #​13094
• @​jose-mindwayai made their first contribution in #​12154
• @​rishabhjain1712 made their first contribution in #​12816
• @​KaranPradhan266 made their first contribution in #​13244
• @​ranmocy made their first contribution in #​13498
• @​kagawa0710 made their first contribution in #​13384

Full Changelog: streamlit/streamlit@1.52.2...1.53.0

v1.52.2

Compare Source

Full Changelog: streamlit/streamlit@1.52.1...1.52.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.