Awesome LLM Apps Streamlit GitHub MCP Agent Cross-Session Information Disclosure Vulnerability

A cross-session information disclosure vulnerability has been identified in the awesome-llm-apps project, specifically within the Streamlit-based GitHub MCP Agent. This vulnerability arises because the application stores user-provided API tokens, such as GitHub Personal Access Tokens and OpenAI API keys, in process-wide environment variables using 'os.environ', without adequate session isolation. As Streamlit operates multiple concurrent user sessions within a single Python process, credentials from one user can be accessed by subsequent unauthenticated users. This flaw allows an attacker to exploit the vulnerability and retrieve sensitive information, potentially leading to unauthorized access to private resources and financial abuse.

Impact

Exploitation of this vulnerability allows for cross-session credential leakage, where an attacker can access tokens and keys provided by other users. This could result in unauthorized access to private GitHub repositories and OpenAI API resources, along with any associated financial costs from API usage.

Reproduction

To reproduce this vulnerability, first run the application using Streamlit. In one browser session (Session A), enter a GitHub token and an OpenAI API key. Then, in a separate incognito session (Session B), access the application without providing a GitHub token. After executing a query, the session will inadvertently receive the GitHub token entered in Session A, demonstrating the cross-session credential leakage.

Remediation

Do not store user credentials in global environment variables. Instead, use session-scoped storage to bind credentials strictly to individual user sessions. Clear sensitive data after use and avoid passing secrets through shared global state.