CVE-2024-48052

Name of the Vulnerable Software and Affected Versions gradio versions 4.42.0 and earlier

Description The issue is related to a hidden server-side request forgery (SSRF) vulnerability in the gr.DownloadButton function. This vulnerability arises because the save url to cache function does not restrict URLs, allowing access to local target resources. As a result, it can lead to the download of local resources and sensitive information.

Recommendations For gradio versions 4.42.0 and earlier, as a temporary workaround, consider disabling the gr.DownloadButton function until a patch is available. Restrict access to the save url to cache function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.