VYPR

PyPI package

gradio

pkg:pypi/gradio

Vulnerabilities (46)

  • CVE-2024-47872Oct 10, 2024
    affected < 5.0.0fixed 5.0.0

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript, or SVG files containing malicious scrip

  • CVE-2024-47084Oct 10, 2024
    affected < 4.44.0fixed 4.44.0

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized reque

  • CVE-2024-47164Oct 10, 2024
    affected < 5.0.0fixed 5.0.0

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of directory traversal checks** within the `is_in_or_equal` function. This function, intended to check if a file resides within a given directory, can be bypassed wi

  • CVE-2024-47165Oct 10, 2024
    affected < 5.0.0fixed 5.0.0

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows atta

  • CVE-2024-47166Oct 10, 2024
    affected < 4.44.0fixed 4.44.0

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read path traversal** in the `/custom_component` endpoint. Attackers can exploit this flaw to access and leak source code from custom Gradio components by manipulatin

  • CVE-2024-47167Oct 10, 2024
    affected < 5.0.0fixed 5.0.0

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to force the Gradio server to send HTTP request

  • CVE-2024-47168Oct 10, 2024
    affected < 4.44.0fixed 4.44.0

    Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly disabled, an attacker or unauthorized user c

  • CVE-2024-39236Jul 1, 2024

    Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.

  • CVE-2024-4940Jun 22, 2024
    affected <= 4.36.1

    An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (XSS), Server-Side Request Forgery (SSRF),

  • CVE-2024-4325Jun 6, 2024
    affected <= 4.36.0

    A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL,

  • CVE-2024-4941Jun 6, 2024
    affected < 4.31.3fixed 4.31.3

    A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as J

  • CVE-2024-34510May 5, 2024
    affected < 4.20.0fixed 4.20.0

    Gradio before 4.20 allows credential leakage on Windows.

  • CVE-2024-1561Apr 16, 2024
    affected < 4.13.0fixed 4.13.0

    An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_to_block_cache()` method of the `Block` cl

  • CVE-2024-1183Apr 16, 2024
    affected < 4.10.0fixed 4.10.0

    An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal por

  • CVE-2024-1728Apr 10, 2024
    affected < 4.19.2fixed 4.19.2

    gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, such as private SSH keys, by manipulating t

  • CVE-2024-1729Mar 29, 2024
    affected < 4.19.2fixed 4.19.2

    A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to validate user credentials, which can be expl

  • CVE-2024-1540Mar 27, 2024
    affected < 4.18.0fixed 4.18.0

    A command injection vulnerability exists in the deploy+test-visual.yml workflow of the gradio-app/gradio repository, due to improper neutralization of special elements used in a command. This vulnerability allows attackers to execute unauthorized commands, potentially leading to

  • CVE-2024-2206Mar 27, 2024
    affected < 4.18.0fixed 4.18.0

    An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Url` header in requests to the `/` and `/co

  • CVE-2024-1727Mar 21, 2024
    affected < 4.19.2fixed 4.19.2

    A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an a

  • CVE-2023-51449Dec 22, 2023
    affected < 4.11.0fixed 4.11.0

    Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptibl