We use cookies to improve your experience on our site.
AVID-2026-R1549
Description
Vulnerability CVE-2024-48052
Details
In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.
Reason for inclusion in AVID: The report describes an SSRF vulnerability in Gradio <= 4.42.0 (gr.DownloadButton/save_url_to_cache). Gradio is a widely used AI tooling/library in ML pipelines and AI app deployment, so this is a vulnerability in a component used to build/deploy AI systems. It is a CVE-style security vulnerability with references, signaling a software supply-chain risk in AI software stacks. Therefore it should be kept for AVID curation.
References
- NVD entry
- https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4
- https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12
Affected or Relevant Artifacts
- Developer: n/a
- Deployer: n/a
- Artifact Details:
| Type | Name |
|---|---|
| System | n/a |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2024-11-04
- Version: 0.3.3
- AVID Entry