AI Threat Alert
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | < 4.44.0 | 4.44.0 |
| gradio | pip | — | No patch |
Severity & Risk
Recommended Action
Patch available
Update gradio to version 4.44.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys. Users are advised to upgrade to `gradio>4.44` to mitigate this issue. To mitigate the risk before applying the patch, developers can manually patch the `analytics_dashboard` dashboard to use a **constant-time comparison** function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N References
- github.com/advisories/GHSA-j757-pf57-f8r4
- github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4
- github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-199.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-47869
- github.com/gradio-app/gradio/security/advisories/GHSA-j757-pf57-f8r4 3rd Party