CVE-2024-47165 – gradio

Package

Manager: pip
Name: gradio
Vulnerable Version: >=0 <5.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0009 pctl0.26383

Details

Gradio's CORS origin validation accepts the null origin ### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. ### Patches Yes, please upgrade to `gradio>=5.0` to address this issue. ### Workarounds **Is there a way for users to fix or remediate the vulnerability without upgrading?** As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.

Metadata

Created: 2024-10-10T21:36:36Z
Modified: 2025-01-21T17:53:31Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-89v2-pqfv-c5r9/GHSA-89v2-pqfv-c5r9.json
CWE IDs: ["CWE-285", "CWE-346"]
Alternative ID: GHSA-89v2-pqfv-c5r9
Finding: F184
Auto approve: 1