CVE-2024-2206: 
Gradio vulnerability analysis and mitigation

An SSRF (Server-Side Request Forgery) vulnerability has been identified in gradio-app/gradio (CVE-2024-2206), discovered in March 2024. The vulnerability exists in the /proxy route due to insufficient validation of user-supplied URLs. This security flaw affects the Hugging Face space infrastructure (NVD, Huntr).

The vulnerability stems from inadequate validation of user-supplied URLs in the /proxy route. Attackers can exploit this by manipulating the self.replica_urls set through the X-Direct-Url header in requests to the / and /config routes. The vulnerability has been assigned a CVSS v3.0 base score of 7.3 (HIGH) with vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating a high severity issue with network accessibility and no required privileges (NVD).

The vulnerability enables unauthorized proxying of requests and potential access to internal endpoints within the Hugging Face space. This could lead to unauthorized access to internal resources and potential data exposure (NVD).

A fix has been implemented and is available in the gradio-app/gradio repository. The patch addresses the vulnerability by improving the validation of URLs in the build_proxy_request function (Github).