CVE-2024-47870: Gradio has a race condition in update_root_in_config may redirect user traffic

October 10, 2024 (updated October 11, 2024)

What kind of vulnerability is it? Who is impacted?

This vulnerability involves a race condition in the update_root_in_config function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition.

References

github.com/advisories/GHSA-xh2x-3mrm-fwqm
github.com/gradio-app/gradio
github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm
nvd.nist.gov/vuln/detail/CVE-2024-47870

Detect and mitigate CVE-2024-47870 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →