CVE-2023-25823: Update share links to use FRP instead of SSH tunneling
(updated )
This is a vulnerability which affects anyone using Gradio’s share links (i.e. creating a Gradio app and then setting share=True
) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users’ shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides.
References
Detect and mitigate CVE-2023-25823 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →