CVE-2023-34239
HIGH7.3EPSS 0.28%Gradio vulnerable to arbitrary file read and proxying of arbitrary URLs
Published: 6/9/2023Modified: 2/21/2025
Description
### Impact There are two separate security vulnerabilities here: (1) a security vulnerability that allows users to read arbitrary files on the machines that are running shared Gradio apps (2) the ability of users to use machines that are sharing Gradio apps to proxy arbitrary URLs ### Patches Both problems have been solved, please upgrade `gradio` to `3.34.0` or higher ### Workarounds Not possible to workaround except by taking down any shared Gradio apps ### References Relevant PRs: * https://github.com/gradio-app/gradio/pull/4406 * https://github.com/gradio-app/gradio/pull/4370
Affected packages (2)
- PyPI/gradiofrom 0, < 3.34.0
- PyPI/gradiofrom 0, < 3.34.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
References (9)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-34239
- PATCHhttps://github.com/gradio-app/gradio
- WEBhttps://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a
- WEBhttps://github.com/gradio-app/gradio/commit/37967617bd97615fb6f3b44e7750c0e0be58479a#diff-324a7165f5d5a8823a28b76f5653fa45f32c8144c82b2e528882c97c7eae534f
- WEBhttps://github.com/gradio-app/gradio/commit/cd64130d54e678525774bbb200ef9c7166fa1543
- WEBhttps://github.com/gradio-app/gradio/pull/4370
- WEBhttps://github.com/gradio-app/gradio/pull/4406
- WEBhttps://github.com/gradio-app/gradio/security/advisories/GHSA-3qqg-pgqq-3695
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2023-90.yaml