CVE-2024-4325

Name of the Vulnerable Software and Affected Versions gradio-app/gradio version 4.21.0

Description A Server-Side Request Forgery (SSRF) vulnerability exists, specifically within the "/queue/join" endpoint and the save url to cache function. The vulnerability arises when the path value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.

Recommendations As a temporary workaround, consider disabling the save url to cache function until a patch is available. Restrict access to the "/queue/join" endpoint to minimize the risk of exploitation. Avoid using the path value in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.