CVE-2024-47084: 
Gradio vulnerability analysis and mitigation

Gradio, an open-source Python package designed for quick prototyping, contains a vulnerability (CVE-2024-47084) related to CORS origin validation. The vulnerability exists where the Gradio server fails to validate the request origin when a cookie is present, affecting versions prior to 4.44.0. The issue was discovered and disclosed on October 10, 2024 (GitHub Advisory).

The vulnerability stems from improper CORS (Cross-Origin Resource Sharing) origin validation in the Gradio server implementation. Specifically, the issue occurs in the CustomCORSMiddleware class where the server skips CORS validation when requests contain cookies. The vulnerability has received a CVSS v3.1 base score of 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L (NVD).

The vulnerability allows an attacker's website to make unauthorized requests to a local Gradio server. When a victim visits a malicious website while logged into Gradio, attackers can potentially upload files, steal authentication tokens, and access user data. This primarily impacts users who have deployed Gradio locally and use basic authentication (GitHub Advisory).

Users are strongly advised to upgrade to Gradio version 4.44 or later to address this vulnerability. As a temporary workaround, users can manually enforce stricter CORS origin validation by modifying the CustomCORSMiddleware class in their local Gradio server code, specifically by bypassing the condition that skips CORS validation for requests containing cookies (GitHub Advisory).