CVE-2024-1540

Name of the Vulnerable Software and Affected Versions gradio-app/gradio repository (affected versions not specified)

Description A command injection issue exists in the deploy+test-visual.yml workflow due to improper neutralization of special elements used in a command. This allows attackers to execute unauthorized commands, potentially leading to unauthorized modification of the base repository or secrets exfiltration. The issue arises from the unsafe handling of GitHub context information within a run operation, where expressions inside ${{ }} are evaluated and substituted before script execution.

Recommendations To resolve the issue, set untrusted input values to intermediate environment variables to prevent direct influence on script generation. As a temporary workaround, consider restricting the use of the run operation in the deploy+test-visual.yml workflow until a proper fix is applied. Restrict access to the deploy+test-visual.yml workflow to minimize the risk of exploitation. Avoid using expressions inside ${{ }} in the run operation until the issue is resolved.