Non-constant-time comparison when comparing hashes in Gradio
Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a timing attack in the way Gradio compares hashes for the analytics_dashboard function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to gradio>4.44 to mitigate this issue. To mitigate the risk before applying the patch, developers can manually patch the analytics_dashboard dashboard to use a constant-time comparison function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A timing vulnerability in Gradio's hash comparison allows attackers to infer the correct hash byte-by-byte via response time measurements, potentially leading to unauthorized access to the analytics dashboard.
Vulnerability
Overview
CVE-2024-47869 is a timing side-channel vulnerability in the Gradio open-source Python package, affecting the analytics_dashboard function. The root cause is that Gradio compares hashes in a non-constant-time manner (i.e., it terminates early on the first mismatched byte). An attacker can exploit this by repeatedly querying the system with different keys and measuring the response time; longer responses indicate a closer match to the correct hash, allowing the attacker to infer the hash byte-by-byte [1][2][4].
Exploitation and
Attack Surface
Exploitation requires the ability to send multiple requests to the Gradio server's analytics dashboard endpoint, typically over a local or network-accessible connection. No special privileges are needed beyond network access, as the vulnerability lies in the comparison logic itself. The timing differences are small, but with repeated queries and statistical analysis, an attacker can determine the correct hash without knowing it in advance [2][3].
Impact
Successful exploitation permits unauthorized access to the analytics dashboard, potentially exposing sensitive usage metrics, configuration details, or other data served by that endpoint. While the dashboard itself may not directly contain high-risk secrets, its exposure could assist in further attacks or violate data privacy expectations [4].
Mitigation
Status
Users are advised to upgrade to Gradio version 4.44 or later, where the hash comparison has been replaced with a constant-time function. For those unable to upgrade immediately, two workarounds exist: (1) manually patch the comparison logic in the analytics_dashboard function to use a constant-time comparison, or (2) disable access to the analytics dashboard entirely [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gradioPyPI | < 4.44.0 | 4.44.0 |
Affected products
2- gradio-app/gradiov5Range: < 4.44
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j757-pf57-f8r4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-47869ghsaADVISORY
- github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yamlghsaWEB
News mentions
0No linked articles in our index yet.