Duplicate Advisory: Cross-Site Request Forgery in Gradio

GHSA-3x9g-xfj5-fq84

Published Mar 21, 2024 · Modified Dec 6, 2024

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references.

Original Description

A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-1727
WEB https://github.com/gradio-app/gradio/pull/7503
WEB https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a
PACKAGE https://github.com/gradio-app/gradio
WEB https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes