High severityNVD Advisory· Published Mar 27, 2024· Updated Aug 1, 2024
SSRF Vulnerability in gradio-app/gradio
CVE-2024-2206
Description
An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the /proxy route. Attackers can exploit this vulnerability by manipulating the self.replica_urls set through the X-Direct-Url header in requests to the / and /config routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the build_proxy_request function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gradioPyPI | < 4.18.0 | 4.18.0 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.