CVE-2024-48052

Published: Nov 4, 2024

Modified: Nov 6, 2024

PUBLISHED

Description

In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4

https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-48052

Description

Affected Products

References