We use cookies to improve your experience on our site.
AVID-2026-R1538
Description
CORS origin validation is not performed when the request has a cookie in Gradio (CVE-2024-47084)
Details
Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to CORS origin validation, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication. Users are advised to upgrade to gradio>4.44 to address this issue. As a workaround, users can manually enforce stricter CORS origin validation by modifying the CustomCORSMiddleware class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.
Reason for inclusion in AVID: CVE-2024-47084 describes a vulnerability in Gradio (an open-source Python tool widely used to build and deploy ML demos and AI apps). It affects CORS validation when cookies are present, enabling unauthorized cross-origin requests to a local Gradio server. This is a software vulnerability impacting components commonly used in ML pipelines and AI deployment stacks. As Gradio is used to deploy AI models, the issue concerns the software supply chain (dependencies/frameworks) used to build, package, deploy, or serve AI systems. It is not hardware/firmware-only. The CVE includes mitigation steps and references, providing sufficient signal.
References
Affected or Relevant Artifacts
- Developer: gradio-app
- Deployer: gradio-app
- Artifact Details:
| Type | Name |
|---|---|
| System | gradio |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-285 | CWE-285: Improper Authorization |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-10-10
- Version: 0.3.3
- AVID Entry