Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 17 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Fri, 11 Oct 2024 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Gradio Project
Gradio Project gradio
CPEs cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:*:*:*
Vendors & Products Gradio Project
Gradio Project gradio
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 10 Oct 2024 22:30:00 +0000

Type Values Removed Values Added
Description Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server. This could lead to the interception of sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet, where malicious actors could exploit this race condition. Users are advised to upgrade to `gradio>=5` to address this issue. There are no known workarounds for this issue.
Title Race condition in update_root_in_config may redirect user traffic in Gradio
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-10-11T15:17:49.588Z

Reserved: 2024-10-04T16:00:09.629Z

Link: CVE-2024-47870

cve-icon Vulnrichment

Updated: 2024-10-11T15:17:45.625Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-10T23:15:03.070

Modified: 2024-10-17T16:57:02.283

Link: CVE-2024-47870

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.