AVID-2026-R1372

Description

Regular Expression Denial of Service (ReDoS) in gradio-app/gradio (CVE-2024-10624)

Details

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression ^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$ to process user input. In Python’s default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.

Reason for inclusion in AVID: CVE-2024-10624 describes a Regular Expression Denial of Service (ReDoS) vulnerability in the gradio-app/gradio repository, specifically in the gr.Datetime component. Gradio is a key library used in building and deploying AI applications and dashboards, meaning this vulnerability affects software commonly used in AI pipelines and serving stacks. It targets a software supply chain component (the Gradio library) that is part of the AI software stack, can be exploited via crafted HTTP requests to cause DoS, and has a documented CVSS score and CWE. Therefore, it satisfies the criteria for AI/GPAI-related supply chain vulnerability with explicit evidence.

References

• NVD entry
• https://huntr.com/bounties/e8d0b248-8feb-4c23-9ef9-be4d1e868374

Affected or Relevant Artifacts

• Developer: gradio-app
• Deployer: gradio-app
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2025-03-20
• Version: 0.3.3
• AVID Entry