CVE-2024-47870

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 5

Description This issue involves a race condition in the update root in config function, allowing an attacker to modify the root URL used by the Gradio frontend to communicate with the backend. By exploiting this flaw, an attacker can redirect user traffic to a malicious server, potentially intercepting sensitive data such as authentication credentials or uploaded files. This impacts all users who connect to a Gradio server, especially those exposed to the internet.

Recommendations To address this issue, upgrade to gradio>=5. There are no known workarounds for this issue. As a temporary workaround, consider restricting access to the update root in config function until a patch is applied.