Skip to content

Dropdown component pre-process step does not limit the values to those in the dropdown list

Low
abidlabs published GHSA-26jh-r8g2-6fpr Oct 10, 2024

Package

pip gradio (pip)

Affected versions

< 5.0

Patched versions

5.0

Description

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability is a data validation issue in the Gradio Dropdown component's pre-processing step. Even if the allow_custom_value parameter is set to False, attackers can bypass this restriction by sending custom requests with arbitrary values, effectively breaking the developer’s intended input constraints. While this alone is not a severe vulnerability, it can lead to more critical security issues, particularly when paired with other vulnerabilities like file downloads from the user's machine.

Patches

Yes, this issue is addressed in gradio>=5.0. Please upgrade to the latest version to resolve the problem.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

To mitigate the issue without upgrading, developers can add manual validation in their prediction function to check the received values against the allowed dropdown values before processing them.

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs

Credits