Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-47165

Good to know:

icon
icon

Date: October 10, 2024

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.

Language: Python

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2024-47165
https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9
https://github.com/gradio-app/gradio
https://www.mend.io/vulnerability-database/CVE-2024-47165

Severity Score

Weakness Type (CWE)

Improper Authorization

CWE-285

Origin Validation Error

CWE-346

Top Fix

icon

Upgrade Version

Upgrade to version gradio - 5.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us