AVID-2026-R1527

Description

Server-Side Request Forgery (SSRF) in gradio-app/gradio (CVE-2024-4325)

Details

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the /queue/join endpoint and the save_url_to_cache function. The vulnerability arises when the path value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.

Reason for inclusion in AVID: The CVE describes a Server-Side Request Forgery (SSRF) in gradio-app/gradio, a software component widely used in ML/AI apps for UI and deployment workflows. This affects a software package used to build/deploy AI systems (supply chain element: a dependency/framework), and constitutes a security vulnerability with potential remote access implications. The description provides concrete vulnerability behavior and affected endpoint, supporting its relevance to AI software stacks and supply chain risk.

References

• NVD entry
• https://huntr.com/bounties/b34f084b-7d14-4f00-bc10-048a3a5aaf88

Affected or Relevant Artifacts

• Developer: gradio-app
• Deployer: gradio-app
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-06-06
• Version: 0.3.3
• AVID Entry