GHSA-WMJH-CPQJ-4V6X Gradio CORS Origin Validation Bypass Vulnerability

A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function isvalidorigin of the component CORS Handler. The manipulation of the argument localhostaliases leads to origin validation error. It is possible to initiate the attack remotely. Th...

CVE-2024-47167

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to Server-Side Request Forgery SSRF in the /queue/join endpoint. Gradio’s asyncsaveurltocache function allows attackers to force the Gradio server to send HTTP requests to user-controlled URLs. This...

CVE-2024-1727

A Cross-Site Request Forgery CSRF vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete...

CVE-2024-1183

An SSRF Server-Side Request Forgery vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the...

CVE-2024-4940

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting XSS, Server-Side Request Forgery SSRF, amongst others. This...

CVE-2024-8021

An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an...

Gradio Vulnerable to Open Redirect

An open redirect vulnerability exists in the latest version of gradio-app/gradio. The vulnerability allows an attacker to redirect users to a malicious website by URL encoding. This can be exploited by sending a crafted request to the application, which results in a 302 redirect to an...

CVE-2025-0187

A Denial of Service DoS vulnerability was discovered in the file upload feature of gradio-app/gradio version 0.39.1. The vulnerability is due to improper handling of form-data with a large filename in the file upload request. By sending a payload with an excessively large filename, the server...

CVE-2024-10624

A Regular Expression Denial of Service ReDoS vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression ^?:\snow\s?:-\s\d+\sdmhs??\s$ to process user input...

CVE-2024-8021

CVE-2024-8021 is an open redirect vulnerability in gradio-app/gradio identified across multiple sources. The issue allows an attacker to trigger a 302 redirect to a malicious site by exploiting URL encoding, effectively steering users to attacker-controlled destinations via crafted requests. Affe...

CVE-2024-10624

CVE-2024-10624 affects the gradio-app/gradio repository, vulnerable in the gr.Datetime component due to a vulnerable regex: ^(?:\snow\s (?:-\s*(\d+)\s*([dmhs]))?)?\s*$ that can cause polynomial-time matching in Python’s regex engine. The affected commit is 98cbcae. An attacker can trigger a DoS b...

CVE-2024-34510

Summary: CVE-2024-34510 affects Gradio prior to 4.20 and allows credential leakage on Windows. The CVSS v3.1 metrics indicate a HIGH severity (base score 7.5) with network attack vector, low attack complexity, no privileges required, and no user interaction. The impact is limited to confidentiali...

SUSE CVE-2024-1727

A Cross-Site Request Forgery CSRF vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete...