Lack of integrity check in Gradio server potentially allows attackers to introduce malicious code
CVE-2024-47867

7.5HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio
Vendor: CVE Published:; 10 October 2024

What is CVE-2024-47867?

The vulnerability in Gradio arises from the absence of integrity checks on the FRP (Fast Reverse Proxy) client’s downloads. This vulnerability theoretically allows an attacker to intercept the download URL, modify the binary of the FRP client, and deliver a compromised version without detection since the Gradio application does not implement checksum or signature verification for the files it retrieves. This risk particularly endangers users who utilize Gradio's sharing functionality that relies on the FRP client, mainly those who count on this binary for secure data tunneling. Users are encouraged to adopt manual integrity checks in their environments as an interim solution until the Gradio software can be updated to address this issue.

Affected Version(s)

gradio < 5.0

References

https://github.com/gradio-app/gradio/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 10, 2024

Gradio-app

What is CVE-2024-47867?

Affected Version(s)

References

CVSS V3.1

Timeline