If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server.
In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.
What kind of vulnerability is it? Who is impacted? This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user can still access the monitoring dashboard by directly requesting the /monitoring endpoint. This means that sensitive application analytics may still be exposed, particularly in environments where monitoring is expected to be disabled. …
What kind of vulnerability is it? Who is impacted? This vulnerability is related to CORS origin validation, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This …
What kind of vulnerability is it? Who is impacted? This vulnerability is a data validation issue in the Gradio Dropdown component's pre-processing step. Even if the allow_custom_value parameter is set to False, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired …
What kind of vulnerability is it? Who is impacted? This vulnerability relates to CORS origin validation accepting a null origin. When a Gradio server is deployed locally, the localhost_aliases variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running …
What kind of vulnerability is it? Who is impacted? This vulnerability relates to the bypass of directory traversal checks within the is_in_or_equal function. This function, intended to check if a file resides within a given directory, can be bypassed with certain payloads that manipulate file paths using .. (parent directory) sequences. Attackers could potentially access restricted files if they are able to exploit this flaw, although the difficulty is high. …
What kind of vulnerability is it? Who is impacted? This vulnerability relates to Server-Side Request Forgery (SSRF) in the /queue/join endpoint. Gradio’s async_save_url_to_cache function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This could enable attackers to target internal servers or services within a local network and possibly exfiltrate data or cause unwanted internal requests. Additionally, the content from these URLs is stored locally, …
What kind of vulnerability is it? Who is impacted? This vulnerability involves insecure communication between the FRP (Fast Reverse Proxy) client and server when Gradio's share=True option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly …
What kind of vulnerability is it? Who is impacted? This vulnerability involves a timing attack in the way Gradio compares hashes for the analytics_dashboard function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query …
This vulnerability is a lack of integrity check on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file's checksum or signature. Who is impacted? Any users utilizing the Gradio server's sharing mechanism that downloads …
What kind of vulnerability is it? Who is impacted? This is a data validation vulnerability affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This issue could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities, such as issue TOB-GRADIO-15. The components most at risk are those …
What kind of vulnerability is it? Who is impacted? This vulnerability involves Cross-Site Scripting (XSS) on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scripts. When other users download or view these files, the scripts will execute in their browser, allowing attackers to perform unauthorized actions or steal sensitive information from their sessions. This impacts any Gradio …
What kind of vulnerability is it? Who is impacted? This vulnerability involves a race condition in the update_root_in_config function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all …
What kind of vulnerability is it? Who is impacted? This vulnerability involves a one-level read path traversal in the /custom_component endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulating the file path in the request. Although the traversal is limited to a single directory level, it could expose proprietary or sensitive code that developers intended to keep private. This impacts users …
This vulnerability allows users of Gradio applications that have a public link (such as on Hugging Face Spaces) to access files on the machine hosting the Gradio application. This involves intercepting and modifying the network requests made by the Gradio app to the server.
Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input.
An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF), amongst others. This issue is due to improper validation of user-supplied input in the handling of URLs. Attackers can exploit this vulnerability by crafting a malicious URL that, when processed by the application, …
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the /queue/join endpoint and the save_url_to_cache function. The vulnerability arises when the path value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the …
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio and was discovered in version 4.25. The vulnerability arises from improper input validation in the postprocess() function within gradio/components/json_component.py, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a path key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the /file=.. endpoint. This issue …
Component Server in Gradio before 4.13 does not properly consider _is_server_fn for functions.
An issue was discovered in gradio-app/gradio, where the /component_server endpoint improperly allows the invocation of any method on a Component class with attacker-controlled arguments. Specifically, by exploiting the move_resource_to_block_cache() method of the Block class, an attacker can copy any file on the filesystem to a temporary directory and subsequently retrieve it. This vulnerability enables unauthorized local file read access, posing a significant risk especially when the application is exposed to …
An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.
gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating the file path in the request to the /queue/join endpoint. This issue could potentially lead to remote code execution. The vulnerability is present in the handling of file upload paths, allowing …
Previously, it was possible to exfiltrate secrets in Gradio's CI, but this is now fixed.
The /proxy route allows a user to proxy arbitrary urls including potential internal endpoints.
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references. Original Description A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host …
A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of …
Impact This security policy is with regards to a timing attack that allows users of Gradio apps to potentially guess the password of password-protected Gradio apps. This relies on the fact that string comparisons in Python terminate early, as soon as there is a string mismatch. Because Gradio apps are, by default, not rate-limited, a user could brute-force millions of guesses to figure out the correct username and password. Patches …
A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.
Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of gradio prior to 4.11.0 contained a vulnerability in the /file route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if …
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository gradio-app/gradio prior to main.
Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.
There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs
This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting share=True) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of …
gradio is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, gradio suffers from Improper Neutralization of Formula Elements in a CSV File. The gradio library has a flagging functionality which saves input/output data into a CSV file on the developer's computer. This can allow a user to save arbitrary text into the CSV file, such as commands. If a program like MS …
This is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces using gradio<2.4.8. Because of the way that static files were being served, someone who generated a public Gradio link and shared it with others would potentially be exposing the files on the computer that generated the link, while the link was active. An attacker would be able to view the contents of a file on the …