Gradio Vulnerability: Command Injection in 'test-functional.yml' Workflow
CVE-2024-4253

9.1CRITICAL

Key Information:

Vendor: Gradio-app
Status: Gradio-app/gradio
Vendor: CVE Published:; 4 June 2024

What is CVE-2024-4253?

A command injection vulnerability is identified within the Gradio app's 'test-functional.yml' workflow. This flaw stems from inadequate sanitization of command elements, allowing for unauthorized modifications to the base repository and potential exfiltration of sensitive secrets such as 'GITHUB_TOKEN', 'COMMENT_TOKEN', and 'CHROMATIC_PROJECT_TOKEN'. The issue primarily affects versions up to and including '@gradio/[email protected]'. The vulnerability arises from the way GitHub context information is processed, echoing sensitive repository details without appropriate neutralization, which could be exploited by malicious actors.

Affected Version(s)

gradio-app/gradio < 4.29.0

References

https://huntr.com/bounties/23cb3749-8ae9-4e1a-9023-4a20ca...

https://github.com/gradio-app/gradio/commit/a0e70366a8a40...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2024
Vulnerability Reserved
Apr 26, 2024

Gradio-app

What is CVE-2024-4253?

Affected Version(s)

References

CVSS V3.1

Timeline