CVE-2024-1727 MEDIUM

CVE-2024-1727: CSRF Vulnerability in gradio-app/gradio

Vendor Gradio-App
Product gradio-app/gradio
Weakness CWE-352 · CSRF
Published March 21, 2024
Last update August 1, 2024

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py.

Key dates

02Disclosure timeline

March 21, 2024 CVE published
August 1, 2024 Record updated