CVE-2024-4325
published 2024-06-06CVE-2024-4325: A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the…
PriorityP184high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
37.37%
98.3th percentile
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gradio-app | gradio-app_gradio | unspecified – latest | — |
| gradio_project | gradio | < 4.41.0 | 4.41.0 |
| gradio_project | gradio | 0 – 4.36.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect SSRF exploitation attempts by monitoring POST requests to `/queue/join` containing a `path` field with an external or internal URL value inside the JSON body, particularly within a `gradio.FileData` typed object. ↗
- →After a `/queue/join` SSRF trigger, watch for follow-up GET requests to `/file=/tmp/gradio/<sha1_hash>/<hostname>` — this path pattern is used to retrieve the SSRF-fetched content from the server's local cache. ↗
- →Successful exploitation is confirmed when the response body to the `/file=` GET request contains OAST/OOB callback server strings such as 'Interactsh Server' or '/projectdiscovery/interactsh', with HTTP 200 status. ↗
- →Identify exposed Gradio instances as SSRF targets using Shodan query `http.html:"__gradio_mode__"` or `http.title:"gradio"`, and FOFA query `body="__gradio_mode__"` or `title="gradio"`. ↗
- →The SSRF can be used to reach the AWS metadata endpoint; monitor outbound requests from the Gradio process to `169.254.169.254` as an indicator of cloud metadata exfiltration. ↗
- →The intermediate `/queue/join` response confirming a valid SSRF-triggerable session will contain `event_id` in a JSON body (`Content-Type: application/json`); use this as a first-stage detection filter. ↗
- ·The vulnerability is confirmed present in Gradio version 4.21.0 specifically; the SSRF exists because the `path` value from user input is passed to `save_url_to_cache` without sufficient validation. ↗
- ·The exploit is unauthenticated (PR:N) and requires no user interaction (UI:N), making it remotely exploitable with no prerequisites on any exposed Gradio 4.21.0 instance. ↗
- ·The PoC template uses a two-step flow: step 1 POSTs to `/queue/join` to trigger the SSRF fetch and cache the result; step 2 GETs `/file=/tmp/gradio/<sha1>/` to retrieve the cached content. Both steps must succeed for confirmed exploitation. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
nvdv3.08.6HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
vulncheck8.6HIGH
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Server-Side Request Forgery in gradio
osv·2024-06-06
CVE-2024-4325 [HIGH] Server-Side Request Forgery in gradio
Server-Side Request Forgery in gradio
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
GHSA
Server-Side Request Forgery in gradio
ghsa·2024-06-06
CVE-2024-4325 [HIGH] CWE-918 Server-Side Request Forgery in gradio
Server-Side Request Forgery in gradio
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio and was discovered in version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
VulnCheck
Gradio save_url_to_cache Server-Side Request Forgery (SSRF) Vulnerability
vulncheck·2024·CVSS 8.6
CVE-2024-4325 [HIGH] Gradio save_url_to_cache Server-Side Request Forgery (SSRF) Vulnerability
Gradio save_url_to_cache Server-Side Request Forgery (SSRF) Vulnerability
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
Affected: gradio.app gradio
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are un
Red Hat
kernel: dma: fix call order in dmam_free_coherent
vendor_redhat·2024-08-17·CVSS 5.5
CVE-2024-43856 [MEDIUM] CWE-362 kernel: dma: fix call order in dmam_free_coherent
kernel: dma: fix call order in dmam_free_coherent
In the Linux kernel, the following vulnerability has been resolved:
dma: fix call order in dmam_free_coherent
dmam_free_coherent() frees a DMA allocation, which makes the
freed vaddr available for reuse, then calls devres_destroy()
to remove and free the data structure used to track the DMA
allocation. Between the two calls, it is possible for a
concurrent task to make an allocation with the same vaddr
and add it to the devres list.
If this happens, there will be two entries in the devres list
with the same vaddr and devres_destroy() can free the wrong
entry, triggering the WARN_ON() in dmam_match.
Fix by destroying the devres entry before freeing the DMA
allocation.
kokonut //net/encryption
http://sponge2/b9145fe6-0f72-4325-ac2f-a84d81075
No detection rules found.
Nuclei
Gradio - Server-Side Request Forgery
nuclei·CVSS 8.6
CVE-2024-4325 [HIGH] Gradio - Server-Side Request Forgery
Gradio - Server-Side Request Forgery
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
Template:
id: CVE-2024-4325
info:
name: Gradio - Server-Side Request Forgery
author: iamnoooob,pdresearch
severity: high
description: |
A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-a
2024-06-06
Published
Exploited in the wild