Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs

GHSA-3qqg-pgqq-3695 · CVE-2023-34239 · PYSEC-2023-90

Published Jun 9, 2023 · Modified Feb 21, 2025

Description

Impact

There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs

Patches

Both problems have been solved, please upgrade gradio to 3.34.0 or higher

Workarounds

Not possible to workaround except by taking down any shared Gradio apps

References

Relevant PRs:

https://github.com/gradio-app/gradio/pull/4406
https://github.com/gradio-app/gradio/pull/4370

References

WEB https://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-34239
WEB https://github.com/gradio-app/gradio/pull/4370
WEB https://github.com/gradio-app/gradio/pull/4406
WEB https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a
WEB https://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f
WEB https://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543
PACKAGE https://github.com/gradio-app/gradio
WEB https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes