GHSA-3x9g-xfj5-fq84: Duplicate Advisory: Cross-Site Request Forgery in Gradio

March 21, 2024 (updated May 21, 2024)

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-48cq-79qq-6f7x. this link is maintained to preserve external references.

Original Description

A Cross-Site Request Forgery gives attackers the ability to upload many large files to a victim, if they are running Gradio locally. To resolve this a PR tightening the CORS rules around Gradio applications has been submitted. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

References

github.com/advisories/GHSA-3x9g-xfj5-fq84
github.com/gradio-app/gradio
github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a
github.com/gradio-app/gradio/pull/7503
huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff
nvd.nist.gov/vuln/detail/CVE-2024-1727

Code Behaviors & Features

Detect and mitigate GHSA-3x9g-xfj5-fq84 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →