CVE-2024-48052

In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.
Configurations

Configuration 1 (hide)

cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

History

13 Jun 2025, 00:21

Type Values Removed Values Added
References () https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12 - () https://gist.github.com/AfterSnows/45ffc23797f9127e00755376cc610e12 - Third Party Advisory
References () https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4 - () https://rumbling-slice-eb0.notion.site/FULL-SSRF-in-gr-DownloadButton-in-gradio-app-gradio-870b21e0908b48cbafd914719ac1a4e6?pvs=4 - Exploit, Third Party Advisory
CPE cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
First Time Gradio Project gradio
Gradio Project

06 Nov 2024, 20:35

Type Values Removed Values Added
CWE CWE-918
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 6.5

05 Nov 2024, 16:04

Type Values Removed Values Added
Summary
  • (es) En gradio &lt;=4.42.0, la función gr.DownloadButton tiene una vulnerabilidad oculta de server-side request forgery (SSRF). La razón es que dentro de la función save_url_to_cache no hay restricciones en la URL, lo que permite el acceso a recursos de destino locales. Esto puede provocar la descarga de recursos locales e información confidencial.

04 Nov 2024, 23:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-11-04 23:15

Updated : 2025-06-13 00:21


NVD link : CVE-2024-48052

Mitre link : CVE-2024-48052

CVE.ORG link : CVE-2024-48052


JSON object : View

Products Affected

gradio_project

  • gradio
CWE
CWE-918

Server-Side Request Forgery (SSRF)