CVE-2024-47872: 
Gradio vulnerability analysis and mitigation

Gradio, an open-source Python package designed for quick prototyping, contains a Cross-Site Scripting (XSS) vulnerability (CVE-2024-47872) that affects any Gradio server allowing file uploads. The vulnerability was discovered and disclosed on October 10, 2024, affecting all versions prior to Gradio 5.0.0 (GitHub Advisory, NVD).

The vulnerability allows authenticated users to upload malicious files such as HTML, JavaScript, or SVG files containing harmful scripts. When other users download or view these files, the scripts execute in their browser, potentially leading to unauthorized actions or sensitive information theft. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability primarily affects Gradio servers that allow file uploads, particularly those using components that process or display user-uploaded files. When exploited, attackers can execute malicious scripts in users' browsers, potentially leading to unauthorized actions and theft of sensitive session information (GitHub Advisory).

The primary mitigation is to upgrade to Gradio version 5.0.0 or later. As temporary workarounds, users can restrict file upload types to non-executable formats like images or text, and implement server-side validation to sanitize uploaded files, ensuring proper handling or rejection of HTML, JavaScript, and SVG files (GitHub Advisory).