Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-3x5j-9vwr-8rr5

GitHub Security Advisory

Update share links to use FRP instead of SSH tunneling

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact
This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting `share=True`) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides.

### Patches
The problem has been patched. Ideally, users should upgrade to `gradio==3.19.1` or later where the FRP solution has been properly tested.

### Credit
Credit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team

Affected Packages

PyPI gradio
Affected versions: 0 (fixed in 3.13.1)

Related CVEs

CVE-2023-25823

Key Information

GHSA ID
GHSA-3x5j-9vwr-8rr5
Published
February 23, 2023 10:10 PM
Last Modified
September 20, 2024 9:41 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
gradio
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 11, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.