GHSA-j757-pf57-f8r4
GitHub Security Advisory
Gradio performs a non-constant-time comparison when comparing hashes
Advisory Details
### Impact
**What kind of vulnerability is it? Who is impacted?**
This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant time, an attacker could exploit this by measuring the response time of different requests to infer the correct hash byte-by-byte. This can lead to unauthorized access to the analytics dashboard, especially if the attacker can repeatedly query the system with different keys.
### Patches
Yes, please upgrade to `gradio>4.44` to mitigate this issue.
### Workarounds
**Is there a way for users to fix or remediate the vulnerability without upgrading?**
To mitigate the risk before applying the patch, developers can manually patch the `analytics_dashboard` dashboard to use a **constant-time comparison** function for comparing sensitive values, such as hashes. Alternatively, access to the analytics dashboard can be disabled.
Affected Packages
Related CVEs
Key Information
Dataset
Data from GitHub Advisory Database. This information is provided for research and educational purposes.