We use cookies to improve your experience on our site.
AVID-2026-R1547
Description
Lack of integrity check on the downloaded FRP client in Gradio (CVE-2024-47867)
Details
Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a lack of integrity check on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker gains access to the remote URL from which the FRP client is downloaded, they could modify the binary without detection, as the Gradio server does not verify the file’s checksum or signature. Any users utilizing the Gradio server’s sharing mechanism that downloads the FRP client could be affected by this vulnerability, especially those relying on the executable binary for secure data tunneling. There is no direct workaround for this issue without upgrading. However, users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn’t been tampered with.
Reason for inclusion in AVID: CVE-2024-47867 describes a lack of integrity verification for a downloaded FRP client in Gradio, enabling potential tampering of a binary without detection. This is a software supply-chain issue affecting an AI tooling stack (Gradio) used to build, deploy, or serve AI demos and workflows. The vulnerability is in software components (the Gradio server/sharing mechanism and its downloaded client) used in AI pipelines, with potential for code execution if tampering occurs. The description and references provide enough signal to classify as a security vulnerability within the AI software supply chain.
References
Affected or Relevant Artifacts
- Developer: gradio-app
- Deployer: gradio-app
- Artifact Details:
| Type | Name |
|---|---|
| System | gradio |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CWE
| ID | Description |
|---|---|
| CWE-345 | CWE-345: Insufficient Verification of Data Authenticity |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-10-10
- Version: 0.3.3
- AVID Entry