In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local target resources. This can lead to the download of local resources and sensitive information.

Affected Packages

PyPI gradio

Affected versions: 0 (last affected: 4.42.0)

Related CVEs

CVE-2024-48052

Key Information

GHSA ID

GHSA-3gf9-wv65-gwh9

Published

November 5, 2024 12:31 AM

Last Modified

November 7, 2024 3:05 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

gradio

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 13, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.