CVE-2024-47165

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 5.0

Description This issue relates to CORS origin validation accepting a null origin. When a Gradio server is deployed locally, the localhost aliases variable includes "null" as a valid origin, allowing attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin. This could lead to data theft, such as user authentication tokens or uploaded files, especially impacting users running Gradio locally who use basic authentication.

Recommendations To address this issue, upgrade to gradio>=5.0. As a temporary workaround, manually modify the localhost aliases list in the local Gradio deployment to exclude "null" as a valid origin, mitigating the potential for exploitation.