2025-10-05 –, ENG 103
File upload vulnerabilities in cloud-native environments can have catastrophic consequences far beyond their perceived low severity. This session exposes a major flaw in Streamlit’s st.file_uploader widget, demonstrating a real-world exploit chain from bypassing client-side checks to gaining persistent access, manipulating cloud roles, and tampering with live data dashboards. Learn why trusting frontend logic is dangerous and how open-source misconfigurations become high-impact attack surfaces.
File upload vulnerabilities are often treated as low-severity issues, but in modern cloud-native environments they can deliver total compromise. In early 2025, researchers discovered a flaw in the open source Streamlit’s widely adopted st.file_uploader widget that allowed a simple client-side check to be bypassed, leading to arbitrary file uploads and complete control of misconfigured cloud instances.
This session walks through the full exploit chain, showing how attackers can weaponize this overlooked feature. By intercepting upload traffic and injecting payloads, we demonstrate how to bypass file-type filtering, achieve directory traversal, and overwrite .ssh/authorized_keys to gain persistent remote access. From there, we pivot into the cloud environment, enumerating roles and manipulating data pipelines powering real-time stock dashboards.
This will be a live proof-of-concept session demoing how this vulnerability could enable market manipulation, data tampering, and other high-impact attacks. Beyond the immediate exploit, the talk exposes a broader pattern: how misplaced trust in frontend logic and cloud misconfigurations create reliable attack surfaces in open-source frameworks.
Snir Aviv is an application security researcher at Cato Networks and member of Cato CTRL. Snir specializes in penetration testing, vulnerability research, and development of offensive security tools. Prior to joining Cato in 2024, Snir built and led the penetration testing team at Clear Gate, delivering high-impact security assessments for clients across diverse industries. Snir holds a Burp Suite Certified Practitioner (BSCP) certification, has published multiple CVEs, and is known for his practical approach to security challenges and his ability to uncover complex vulnerabilities.
Yuval Moravchick is the Application Security Research Team Leader at Cato Networks. With over 10 years of technical experience in the cybersecurity industry, Yuval has built and led security teams at various organizations. He specializes in penetration testing, security research, and the development of offensive security tools. Before joining Cato Networks, Yuval held roles at Wix.com and ControlUp, where he led an application security research team, detected 0-day bugs, and managed the SSDLC activities. Prior to joining Wix.com and ControlUp, Yuval honed his expertise at BugSec in managing a team of skilled penetration testers and also conducted red team simulations, and developed malware. Yuval holds a B.Sc. in Industrial & Management Engineering and has several industry certifications, including Offensive Security Certified Professional (OSCP) and Offensive Security Web Expert (OSWE).