Home > Vulnerability Database > CVE-2024-2206

Mend.io Vulnerability Database

CVE-2024-2206

Good to know:

Date: March 26, 2024

An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the "/proxy" route. Attackers can exploit this vulnerability by manipulating the "self.replica_urls" set through the "X-Direct-Url" header in requests to the "/" and "/config" routes, allowing the addition of arbitrary URLs for proxying. This flaw enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. The issue arises from the application's inadequate checking of safe URLs in the "build_proxy_request" function.

Language: Python

Severity Score

7.3

Related Resources (5)

Url: https://huntr.com/bounties/2286c1ed-b889-45d6-adda-7014ea06d98e

Url: https://github.com/gradio-app/gradio/commit/49d9c48537aa706bf72628e3640389470138bdc6

Url: https://github.com/gradio-app/gradio

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-2206

Url: https://www.mend.io/vulnerability-database/CVE-2024-2206

Severity Score

7.3

Weakness Type (CWE)

Server-Side Request Forgery (SSRF)

CWE-918

Top Fix

Upgrade Version

Upgrade to version gradio - 4.18.0

Learn More

CVSS v3.1

Base Score:	7.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2024-2206

Good to know:

Date: March 26, 2024

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?