CVE-2024-47165: 
Gradio vulnerability analysis and mitigation

Gradio, an open-source Python package designed for quick prototyping, was found to have a CORS origin validation vulnerability. The issue, identified as CVE-2024-47165, occurs when a Gradio server is deployed locally, where the localhost_aliases variable includes "null" as a valid origin. This vulnerability was disclosed on October 10, 2024, affecting all versions of Gradio prior to version 5.0 (GitHub Advisory).

The vulnerability stems from improper CORS (Cross-Origin Resource Sharing) origin validation that accepts null origins. The issue has been assigned a CVSS v4.0 base score of 6.9 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 5.4 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N. The vulnerability is classified under CWE-285 (Improper Authorization) (NVD).

The vulnerability allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin. This can potentially lead to data theft, including the compromise of user authentication tokens and uploaded files. The impact is particularly significant for users running Gradio locally, especially those implementing basic authentication (GitHub Advisory).

Users are strongly advised to upgrade to Gradio version 5.0 or later to address this vulnerability. For those unable to upgrade immediately, a workaround is available by manually modifying the localhost_aliases list in the local Gradio deployment to exclude "null" as a valid origin. This modification prevents the Gradio server from accepting requests from sandboxed iframes or sources with a null origin (GitHub Advisory).