Race Condition Affecting gradio package, versions [,5.0.0)

Q: How to fix?

Upgrade gradio to version 5.0.0 or higher.

Threat Intelligence

0.09% (41^st percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-GRADIO-8180435
published11 Oct 2024
disclosed10 Oct 2024
creditMaciej Domanski

Report a new vulnerability Found a mistake?

Introduced: 10 Oct 2024

CVE-2024-47870 (opens in a new tab) CWE-362 (opens in a new tab)

How to fix?

Upgrade gradio to version 5.0.0 or higher.

Overview

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Race Condition in the update_root_in_config function. An attacker can redirect user traffic to a malicious server, potentially intercepting sensitive data such as authentication credentials or uploaded files.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
Low
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None