GHSA-89v2-pqfv-c5r9
GitHub Security Advisory
Gradio's CORS origin validation accepts the null origin
Advisory Details
### Impact
**What kind of vulnerability is it? Who is impacted?**
This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "null" as a valid origin. This allows attackers to make unauthorized requests from sandboxed iframes or other sources with a null origin, potentially leading to data theft, such as user authentication tokens or uploaded files. This impacts users running Gradio locally, especially those using basic authentication.
### Patches
Yes, please upgrade to `gradio>=5.0` to address this issue.
### Workarounds
**Is there a way for users to fix or remediate the vulnerability without upgrading?**
As a workaround, users can manually modify the `localhost_aliases` list in their local Gradio deployment to exclude "null" as a valid origin. By removing this value, the Gradio server will no longer accept requests from sandboxed iframes or sources with a null origin, mitigating the potential for exploitation.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.