cbcvebase.
CVE-2024-1183
published 2024-04-16

CVE-2024-1183: An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an…

PriorityP343medium6.5CVSS 3.0
AVNACLPRNUIRSUCHINAN
EXPLOIT
EPSS
1.78%
75.5th percentile
An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.

Affected

3 ranges
VendorProductVersion rangeFixed in
gradio-appgradio-app_gradio>= unspecified < 4.114.11
gradio_projectgradio>= 0 < 4.10.04.10.0
gradio_projectgradio>= 3.41.0 < 4.11.04.11.0

Detection & IOCsextracted from sources · hover to see the quote

urlGET /file=http://oast.pro HTTP/1.1
path/file=http://oast.pro
othershodan-query: html:"__gradio_mode__"
yara
regex: '(?m)^(?:Location\s*?:\s*?)(?:https?://|//)(?:[a-zA-Z0-9\-_\.@]*)oast\.pro.*$' part: header
  • SSRF exploitation is performed via a GET request to the /file= endpoint with an external URL as the parameter value (e.g., /file=http://<attacker-host>). A successful hit is indicated by a 'Location' header in the HTTP response redirecting to the attacker-controlled host.
  • Differentiate open vs. closed internal ports: an open port returns a 'Location' header redirect, while a closed/filtered port returns a 'File not allowed' error. Monitor for repeated /file= requests targeting internal IP ranges (e.g., 127.x, 10.x, 172.16-31.x, 192.168.x).
  • Identify exposed Gradio instances via Shodan using the fingerprint html:"__gradio_mode__" to scope vulnerable attack surface.
  • ·The vulnerability affects Gradio versions prior to 3.33 (for the 3.x branch) and prior to 4.11 (for the 4.x branch). Ensure version scoping is applied when deploying detections to avoid false positives on patched instances.
  • ·The Nuclei template is marked as requiring only 1 HTTP request (max-request: 1) and uses an OAST/out-of-band callback (oast.pro) for confirmation. Detections relying solely on in-band response analysis (Location header regex) may miss cases where the SSRF target does not issue a redirect.

CVSS provenance

nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.