Update share links to use FRP instead of SSH tunneling

GHSA-3x5j-9vwr-8rr5 · CVE-2023-25823 · PYSEC-2023-16

Published Feb 23, 2023 · Modified Sep 20, 2024

Description

Impact

This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting share=True) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides.

Patches

The problem has been patched. Ideally, users should upgrade to gradio==3.19.1 or later where the FRP solution has been properly tested.

Credit

Credit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team

References

WEB https://github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-25823
PACKAGE https://github.com/gradio-app/gradio
WEB https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes