CVE-2024-48052
published 2024-11-04CVE-2024-48052: In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.46%
36.8th percentile
In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gradio_project | gradio | <= 4.42.0 | — |
| gradio_project | gradio | 0 – 4.42.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
gradio Server Side Request Forgery vulnerability
ghsa·2024-11-05
CVE-2024-48052 [MEDIUM] CWE-918 gradio Server Side Request Forgery vulnerability
gradio Server Side Request Forgery vulnerability
In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.
OSV
gradio Server Side Request Forgery vulnerability
osv·2024-11-05
CVE-2024-48052 [MEDIUM] gradio Server Side Request Forgery vulnerability
gradio Server Side Request Forgery vulnerability
In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-04
Published