GHSA-26jh-r8g2-6fpr: Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list
What kind of vulnerability is it? Who is impacted?
This vulnerability is a data validation issue in the Gradio Dropdown
component’s pre-processing step. Even if the allow_custom_value
parameter is set to False
, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user’s machine.
References
Detect and mitigate GHSA-26jh-r8g2-6fpr with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →