Headline
GHSA-26jh-r8g2-6fpr: Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability is a data validation issue in the Gradio Dropdown
component’s pre-processing step. Even if the allow_custom_value
parameter is set to False
, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user’s machine.
Patches
Yes, this issue is addressed in gradio>=5.0
. Please upgrade to the latest version to resolve the problem.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability is a data validation issue in the Gradio Dropdown component’s pre-processing step. Even if the allow_custom_value parameter is set to False, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user’s machine.
Patches
Yes, this issue is addressed in gradio>=5.0. Please upgrade to the latest version to resolve the problem.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.
References
- GHSA-26jh-r8g2-6fpr