CVE-2023-25823
MEDIUM5.4EPSS 0.41%Update share links to use FRP instead of SSH tunneling
Description
### Impact This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides. ### Patches The problem has been patched. Ideally, users should upgrade to `gradio==3.19.1` or later where the FRP solution has been properly tested. ### Credit Credit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team
Affected packages (2)
- PyPI/gradiofrom 0, < 3.13.1
- PyPI/gradiofrom 0, < 3.13.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:L/SA:L |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:L |