VYPR
← All advisories
High severityNVD Advisory· Published Mar 20, 2025· Updated Oct 15, 2025

Regular Expression Denial of Service (ReDoS) in gradio-app/gradio

CVE-2024-10624

Description

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression ^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$ to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A ReDoS vulnerability in Gradio's gr.Datetime component allows an attacker to cause a denial of service via crafted input.

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, specifically within the gr.Datetime component. The vulnerable regular expression, ^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$, is used to process user input. Due to polynomial-time matching behavior in Python's default regex engine, crafted inputs can cause excessive backtracking, leading to high CPU consumption [2][3].

The attack surface is exposed via HTTP requests to the Gradio application. An attacker can send a specially crafted request to the gr.Datetime component without requiring authentication, causing the server process to consume 100% CPU. This exploitation does not require network access beyond being able to send HTTP requests to the target service [2][4].

The impact of a successful exploit is a Denial of Service (DoS) condition on the server. The affected version is git commit 98cbcae [1][2]. No workaround is documented, but users are advised to upgrade to a patched version once available, as the vulnerability was identified via the huntr bug bounty platform [4].

References
  1. GitHub - gradio-app/gradio: Build and share delightful machine learning apps, all in Python. 🌟 Star to support our work!
  2. NVD - CVE-2024-10624
  3. gradio/gradio/components/datetime.py at 98cbcaef827de7267462ccba180c7b2ffb1e825d · gradio-app/gradio
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
gradioPyPI
>= 4.38.0, <= 5.0.0-beta.2

Affected products

3
  • Gradio App/Gradiollm-fuzzy
    Range: = git commit 98cbcae
  • ghsa-coords
    pkg:pypi/gradio
    Range: >= 4.38.0, <= 5.0.0-beta.2
  • gradio-app/gradio-app/gradiov5
    Range: unspecified

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.