Race Condition Affecting gradio package, versions [,5.0.0b5)

Q: How to fix?

Upgrade gradio to version 5.0.0b5 or higher.

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Race Condition vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-PYTHON-GRADIO-8320941
published1 Nov 2024
disclosed1 Nov 2024
creditUnknown

Report a new vulnerability Found a mistake?

Introduced: 1 Nov 2024

CWE-362 (opens in a new tab)

How to fix?

Upgrade gradio to version 5.0.0b5 or higher.

Overview

gradio is a Python library for easily interacting with trained machine learning models

Affected versions of this package are vulnerable to Race Condition due to improper isolation in functions update_root_in_config and route handlers that access and modify blocks.config. Attackers can exploit this by sending requests with malicious headers, such as X-Forwarded-Host, to inject a fake root URL into the application's configuration.

References

GitHub Commit

CVSS Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
High
Attack Requirements (AT)
None
Privileges Required (PR)
None
User Interaction (UI)
None

Confidentiality (VC)
Low
Integrity (VI)
None
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None