CVE-2024-1729

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 4.19.2

Description A timing attack vulnerability exists in the login function, specifically within the routes.py file, due to the use of a direct comparison operation (app.auth[username] == password) to validate user credentials. This can be exploited to guess passwords based on response times, potentially allowing an attacker to bypass authentication mechanisms and gain unauthorized access. The vulnerability relies on the fact that string comparisons in Python terminate early as soon as there is a string mismatch, and since Gradio apps are not rate-limited by default, a user could brute-force millions of guesses to figure out the correct username and password.

Recommendations For Gradio versions prior to 4.19.2, update to Gradio version 4.19.2 or higher to resolve the issue. As a temporary workaround, consider implementing rate-limiting on Gradio apps to minimize the risk of exploitation. Restrict access to the login function in routes.py until the update is applied. Avoid using the direct comparison operation (app.auth[username] == password) for validating user credentials until the issue is resolved.