CVE-2024-1727
CSRF Vulnerability in gradio-app/gradio
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py.
Para evitar que sitios web maliciosos de terceros realicen solicitudes a aplicaciones de Gradio que se ejecutan localmente, este PR endurece las reglas CORS en torno a las aplicaciones de Gradio. En particular, verifica si el encabezado del host es localhost (o uno de sus alias) y, de ser así, requiere que el encabezado de origen (si está presente) también sea localhost (o uno de sus alias).
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2024-02-21 CVE Reserved
- 2024-03-21 CVE Published
- 2024-08-01 CVE Updated
- 2025-04-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-352: Cross-Site Request Forgery (CSRF)
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a | ||
| https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Gradio Project Search vendor "Gradio Project" | Gradio Search vendor "Gradio Project" for product "Gradio" | * | - |
Affected
| ||||||