Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS0yNmpoLXI4ZzItNmZwcs4ABAMK

Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability is a data validation issue in the Gradio Dropdown component's pre-processing step. Even if the allow_custom_value parameter is set to False, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user's machine.

Patches

Yes, this issue is addressed in gradio>=5.0. Please upgrade to the latest version to resolve the problem.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.

Permalink: https://github.com/advisories/GHSA-26jh-r8g2-6fpr
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0yNmpoLXI4ZzItNmZwcs4ABAMK
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 5 days ago
Updated: 4 days ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-26jh-r8g2-6fpr
References:

• https://github.com/gradio-app/gradio/security/advisories/GHSA-26jh-r8g2-6fpr
• https://github.com/advisories/GHSA-26jh-r8g2-6fpr

Repository: https://github.com/gradio-app/gradio
Blast Radius: 21.6

Affected Packages