CVE-2023-25823: Update share links to use FRP instead of SSH tunneling

February 23, 2023 (updated September 20, 2024)

This is a vulnerability which affects anyone using Gradio’s share links (i.e. creating a Gradio app and then setting share=True) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users’ shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides.

References

github.com/advisories/GHSA-3x5j-9vwr-8rr5
github.com/gradio-app/gradio
github.com/gradio-app/gradio/security/advisories/GHSA-3x5j-9vwr-8rr5
github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-16.yaml
nvd.nist.gov/vuln/detail/CVE-2023-25823

Code Behaviors & Features

Detect and mitigate CVE-2023-25823 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →