CVE-2024-47867: Gradio lacks integrity checking on the downloaded FRP client

October 10, 2024 (updated January 21, 2025)

This vulnerability is a lack of integrity check on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file’s checksum or signature.

Who is impacted? Any users utilizing the Gradio server’s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling.

References

github.com/advisories/GHSA-8c87-gvhj-xm8m
github.com/gradio-app/gradio
github.com/gradio-app/gradio/security/advisories/GHSA-8c87-gvhj-xm8m
github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-216.yaml
nvd.nist.gov/vuln/detail/CVE-2024-47867

Code Behaviors & Features

Detect and mitigate CVE-2024-47867 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →