CVE-2024-4325: Server-Side Request Forgery in gradio

June 6, 2024

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the /queue/join endpoint and the save_url_to_cache function. The vulnerability arises when the path value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.

References

github.com/advisories/GHSA-973g-55hp-3frw
github.com/gradio-app/gradio
github.com/gradio-app/gradio/pull/8301
huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88
nvd.nist.gov/vuln/detail/CVE-2024-4325

Detect and mitigate CVE-2024-4325 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →