High

gradio

SSRF Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability was identified in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. This vulnerability allows attackers to send unauthorized requests to internal networks or services. The issue was not explicitly mentioned as patched in the provided information.

Available publicly on Apr 29 2024

8.6

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Credit:

mvlttt
Threat Overview

The SSRF vulnerability in gradio-app/gradio arises when user-supplied input, specifically a URL in the path parameter, is not adequately validated before being used to make HTTP requests. This flaw can be exploited to send requests to unintended locations, including internal services within the victim's infrastructure. The vulnerability chain starts from the move_files_to_cache function and progresses through several layers of function calls, ultimately leading to the save_url_to_cache function where the malicious URL is processed. This can lead to information disclosure, unauthorized access to internal services, or even remote code execution if internal services are vulnerable.

Attack Scenario

An attacker can exploit this vulnerability by crafting a malicious URL and submitting it through the vulnerable endpoint. By intercepting a legitimate request to the /queue/join endpoint using tools like Burp Suite, the attacker replaces the path parameter with the malicious URL. The server then makes an HTTP request to this URL, which could be an internal service or a controlled external server that logs incoming requests, thereby leaking sensitive information or facilitating further attacks.

Who is affected

Any deployment of the gradio-app/gradio version 4.21.0 that exposes the /queue/join endpoint to user input without additional security measures is vulnerable to this SSRF attack. This includes web applications using this framework version for processing and displaying user-supplied files.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.