CVE-2024-47167

Summary

CVE-2024-47167 is a newly identified Server-Side Request Forgery (SSRF) vulnerability affecting the Gradio open-source Python package. The issue lies in the `/queue/join` endpoint and the `async_save_url_to_cache` function, which allows attackers to manipulate Gradio servers into sending HTTP requests to malicious user-controlled URLs. An attacker could exploit this vulnerability to target internal servers or services within a local network, potentially leading to data exfiltration or unwanted internal requests. Moreover, the content from these URLs is stored locally, providing an easier avenue for attackers to upload malicious files. Users running Gradio servers that utilize components with URL fetching capabilities, such as the Video component, are at risk. To mitigate the threat, users are urged to upgrade to `gradio>=5`. As a temporary solution, users can restrict or disable URL-based inputs to trusted domains only and implement stricter URL validation methods.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.