AI Threat Alert
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the...
Full analysis pending. Showing NVD description excerpt.
Affected Systems
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| gradio | pip | < 5.0.0 | 5.0.0 |
| gradio | pip | — | No patch |
Severity & Risk
Recommended Action
Patch available
Update gradio to version 5.0.0
Compliance Impact
Compliance analysis pending. Sign in for full compliance mapping when available.
Technical Details
NVD Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H References
- github.com/advisories/GHSA-xh2x-3mrm-fwqm
- github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm
- github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-218.yaml
- nvd.nist.gov/vuln/detail/CVE-2024-47870
- github.com/gradio-app/gradio/security/advisories/GHSA-xh2x-3mrm-fwqm 3rd Party