3 matches found
GHSA-PFJF-5GXR-995X Gradio has an Open Redirect in its OAuth Flow
Summary The redirecttotarget function in Gradio's OAuth flow accepts an unvalidated targeturl query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled i.e. apps running on Hugging Face Spaces with...
GHSA-H3H8-3V2V-RG7M Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...
Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
Summary Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components e.g. gr.LoginButton are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingfacehub.gettoken and stores it...