Vulnerability Description
Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication. Users are advised to upgrade to `gradio>=5.0` to address this issue. As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gradio Project | Gradio | < 5.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/gradio-app/gradio/security/advisories/GHSA-89v2-pqfv-c5r9Third Party Advisory
FAQ
What is CVE-2024-47165?
CVE-2024-47165 is a vulnerability with a CVSS score of 5.4 (MEDIUM). Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the ...
How severe is CVE-2024-47165?
CVE-2024-47165 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-47165?
Check the references section above for vendor advisories and patch information. Affected products include: Gradio Project Gradio.