CVE-2024-1727 - Vulnerability Details - OpenCVE

A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Gradio Project	Gradio

Configuration 1 [-]

cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*

No data.

References

Link	Providers
https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a
https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff

History

Wed, 30 Jul 2025 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Gradio Project Gradio Project gradio
CPEs		cpe:2.3:a:gradio_project:gradio::::::python::*
Vendors & Products		Gradio Project Gradio Project gradio

MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published: 2024-03-21T19:57:39.129Z

Updated: 2024-08-01T18:48:21.951Z

Reserved: 2024-02-21T21:55:06.942Z

Link: CVE-2024-1727

Vulnrichment

Updated: 2024-08-01T18:48:21.951Z

NVD

Status : Analyzed

Published: 2024-03-21T20:15:07.620

Modified: 2025-07-30T20:11:16.023

Link: CVE-2024-1727

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-1727", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2024-02-21T21:55:06.942Z", "datePublished": "2024-03-21T19:57:39.129Z", "dateUpdated": "2024-08-01T18:48:21.951Z"}, "containers": {"cna": {"title": "CSRF Vulnerability in gradio-app/gradio", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:19.322Z"}, "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py."}], "affected": [{"vendor": "gradio-app", "product": "gradio-app/gradio", "versions": [{"version": "unspecified", "lessThan": "4.19.2", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"}, {"url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352"}]}], "source": {"advisory": "a94d55fb-0770-4cbe-9b20-97a978a2ffff", "discovery": "EXTERNAL"}}, "adp": [{"affected": [{"vendor": "gradio_project", "product": "gradio", "cpes": ["cpe:2.3:a:gradio_project:gradio:4.16.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "4.16.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-03-25T16:25:33.992945Z", "id": "CVE-2024-1727", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T21:01:35.088Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:48:21.951Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff", "tags": ["x_transferred"]}, {"url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff", "tags": ["x_transferred"]}, {"url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:48:21.951Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-1727", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-25T16:25:33.992945Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:gradio_project:gradio:4.16.0:*:*:*:*:*:*:*"], "vendor": "gradio_project", "product": "gradio", "versions": [{"status": "affected", "version": "4.16.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T21:01:10.257Z"}}], "cna": {"title": "CSRF Vulnerability in gradio-app/gradio", "source": {"advisory": "a94d55fb-0770-4cbe-9b20-97a978a2ffff", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "gradio-app", "product": "gradio-app/gradio", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "4.19.2", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"}, {"url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"}], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352 Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2024-04-16T11:10:19.322Z"}}}, "cveMetadata": {"cveId": "CVE-2024-1727", "state": "PUBLISHED", "dateUpdated": "2024-08-01T18:48:21.951Z", "dateReserved": "2024-02-21T21:55:06.942Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2024-03-21T19:57:39.129Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*", "matchCriteriaId": "5823139A-4C5D-4AD8-9C8B-A8D294553405", "versionEndExcluding": "4.19.2", "versionStartIncluding": "4.16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized file upload to the victim's server, an attacker can deplete the system's disk space, potentially leading to a denial of service. This issue affects the file upload functionality as implemented in gradio/routes.py."}, {"lang": "es", "value": "Para evitar que sitios web maliciosos de terceros realicen solicitudes a aplicaciones de Gradio que se ejecutan localmente, este PR endurece las reglas CORS en torno a las aplicaciones de Gradio. En particular, verifica si el encabezado del host es localhost (o uno de sus alias) y, de ser as\u00ed, requiere que el encabezado de origen (si est\u00e1 presente) tambi\u00e9n sea localhost (o uno de sus alias)."}], "id": "CVE-2024-1727", "lastModified": "2025-07-30T20:11:16.023", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "[email protected]", "type": "Secondary"}]}, "published": "2024-03-21T20:15:07.620", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "[email protected]", "type": "Secondary"}]}