High

gradio

SSRF Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability was identified in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. This vulnerability allows attackers to send unauthorized requests to internal networks or services. The issue was not explicitly mentioned as patched in the provided information.

Available publicly on Apr 29 2024

8.6

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Credit:

mvlttt
Remediation Steps
  • Ensure input validation is implemented for all user-supplied URLs, rejecting any that do not match expected patterns.
  • Update the gradio-app/gradio to a version where this vulnerability is patched, if available.
  • Employ network segmentation and firewall rules to restrict the server's ability to make outbound requests to sensitive or internal services.
  • Use SSRF mitigation techniques such as using allowlists for acceptable domains and protocols, and employing proper error handling to avoid leaking information about the internal network.
Patch Details
  • Fixed Version: N/A
  • Patch Commit: N/A
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.