GHSA-26jh-r8g2-6fpr: Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list

What kind of vulnerability is it? Who is impacted?

This vulnerability is a data validation issue in the Gradio Dropdown component’s pre-processing step. Even if the allow_custom_value parameter is set to False, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user’s machine.