CVE-2024-10624

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-10624
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.

7.5 /10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://huntr.com/bounties/e8d0b248-8feb-4c23-9ef9-be4d1e868374 Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:gradio_project:gradio:2024-09-18:*:*:*:*:python:*:*
History

15 Oct 2025, 13:15

Type Values Removed Values Added
CWE CWE-400 CWE-1333

14 Oct 2025, 18:54

Type Values Removed Values Added
References () https://huntr.com/bounties/e8d0b248-8feb-4c23-9ef9-be4d1e868374 - () https://huntr.com/bounties/e8d0b248-8feb-4c23-9ef9-be4d1e868374 - Exploit, Third Party Advisory
First Time Gradio Project gradio
Gradio Project
Summary
  • (es) Existe una vulnerabilidad de denegación de servicio de expresiones regulares (ReDoS) en el repositorio gradio-app/gradio, que afecta al componente gr.Datetime. La versión afectada es el commit git 98cbcae. La vulnerabilidad surge del uso de la expresión regular `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` para procesar la entrada del usuario. En el motor de expresiones regulares predeterminado de Python, esta expresión regular puede tardar un tiempo polinomial en coincidir con ciertas entradas manipuladas. Un atacante puede explotar esto enviando una solicitud HTTP manipulada, lo que provoca que el proceso gradio consuma el 100 % de la CPU y potencialmente genere una denegación de servicio (DoS) en el servidor.
CPE cpe:2.3:a:gradio_project:gradio:2024-09-18:*:*:*:*:python:*:*

20 Mar 2025, 10:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-03-20 10:15

Updated : 2025-10-15 13:15

NVD link : CVE-2024-10624

Mitre link : CVE-2024-10624

CVE.ORG link : CVE-2024-10624

JSON object : View

Products Affected

gradio_project

  • gradio
CWE
CWE-1333

Inefficient Regular Expression Complexity