CVE-2024-1540: Gradio's CI vulnerable to Command Injection

March 27, 2024

Previously, it was possible to exfiltrate secrets in Gradio’s CI, but this is now fixed.

References

github.com/advisories/GHSA-xcgp-r7r8-2hc9
github.com/gradio-app/gradio
github.com/gradio-app/gradio/commit/d56bb28df80d8db1f33e4acf4f6b2c4f87cb8b28
huntr.com/bounties/0e39e974-9a66-476f-91f5-3f37abb03d77
nvd.nist.gov/vuln/detail/CVE-2024-1540

Code Behaviors & Features

Detect and mitigate CVE-2024-1540 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →