CVE-2024-47084: Gradios's CORS origin validation is not performed when the request has a cookie

October 10, 2024 (updated January 21, 2025)

What kind of vulnerability is it? Who is impacted?

This vulnerability is related to CORS origin validation, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication.

References

github.com/advisories/GHSA-3c67-5hwx-f6wx
github.com/gradio-app/gradio
github.com/gradio-app/gradio/security/advisories/GHSA-3c67-5hwx-f6wx
github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-196.yaml
nvd.nist.gov/vuln/detail/CVE-2024-47084

Code Behaviors & Features

Detect and mitigate CVE-2024-47084 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →