Server-Side Request Forgery (SSRF) in gradio-app/gradio
CVE-2024-4325

8.6HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio-app/gradio
Vendor: CVE Published:; 6 June 2024

What is CVE-2024-4325?

A Server-Side Request Forgery (SSRF) vulnerability has been identified in Gradio version 4.21.0, specifically within the '/queue/join' endpoint and the 'save_url_to_cache' function. This vulnerability occurs due to improper validation of user-supplied path values, which are intended to be URLs. Attackers can exploit this flaw to send specially crafted HTTP requests, potentially gaining unauthorized access to sensitive internal networks or compromising the security of AWS metadata endpoints. As a result, internal servers' security may be put at risk, making it essential for users to implement stringent validation mechanisms to mitigate such vulnerabilities.

Affected Version(s)

gradio-app/gradio <= unspecified

References

https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a...

EPSS Score

42% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 6, 2024
Vulnerability Reserved
Apr 29, 2024

Gradio-app

What is CVE-2024-4325?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline