CVE-2024-47870 – gradio

Package

Manager: pip
Name: gradio
Vulnerable Version: >=0 <5.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00157 pctl0.3702

Details

Gradio has a race condition in update_root_in_config may redirect user traffic ### Impact **What kind of vulnerability is it? Who is impacted?** This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. ### Patches Yes, please upgrade to `gradio>=5` to address this issue.

Metadata

Created: 2024-10-10T22:04:21Z
Modified: 2025-01-21T17:18:30Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-xh2x-3mrm-fwqm/GHSA-xh2x-3mrm-fwqm.json
CWE IDs: ["CWE-362"]
Alternative ID: GHSA-xh2x-3mrm-fwqm
Finding: F124
Auto approve: 1