Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-26jh-r8g2-6fpr: Gradio's dropdown component pre-process step does not limit the values to those in the dropdown list

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability is a data validation issue in the Gradio Dropdown component’s pre-processing step. Even if the allow_custom_value parameter is set to False, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user’s machine.

Patches

Yes, this issue is addressed in gradio>=5.0. Please upgrade to the latest version to resolve the problem.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.

ghsa
#vulnerability#mac

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability is a data validation issue in the Gradio Dropdown component’s pre-processing step. Even if the allow_custom_value parameter is set to False, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user’s machine.

Patches

Yes, this issue is addressed in gradio>=5.0. Please upgrade to the latest version to resolve the problem.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.

References

  • GHSA-26jh-r8g2-6fpr

ghsa: Latest News

GHSA-27wf-5967-98gx: Kubernetes kubelet arbitrary command execution