CVE-2024-47871
CRITICALDescription
Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not enforced on the connection, allowing attackers to intercept and read files uploaded to the Gradio server, as well as modify responses or data sent between the client and server. This impacts users who are sharing Gradio demos publicly over the internet using `share=True` without proper encryption, exposing sensitive data to potential eavesdroppers. Users are advised to upgrade to `gradio>=5` to address this issue. As a workaround, users can avoid using `share=True` in production environments and instead host their Gradio applications on servers with HTTPS enabled to ensure secure communication.
Is your site exposed to CVE-2024-47871?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| gradio_project | gradio |
References
Frequently Asked Questions
What is CVE-2024-47871? +
How severe is CVE-2024-47871? +
What products are affected by CVE-2024-47871? +
How do I check if I'm vulnerable to CVE-2024-47871? +
Related Vulnerabilities
Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to …
Lack of sensitive data encryption in CapillaryScope v2.5.0 of Capillary io, which stores both the proxy credentials and the JWT …
ToolHive is a utility designed to simplify the deployment and management of Model Context Protocol (MCP) servers. Due to the …
Missing encryption of sensitive data in Korenix JetPort 5601v3 allows Eavesdropping.This issue affects JetPort 5601v3: through 1.2.
Sensitive customer information is stored in the device without encryption.
The Temporal api-go library prior to version 1.44.1 did not send `update response` information to Data Converter when the proxy …