Miggo Logo

CVE-2024-47084: Gradios's CORS origin validation is not performed when the request has a cookie

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.33431%
Published
10/10/2024
Updated
1/21/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
gradiopip< 4.44.04.44.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions the CustomCORSMiddleware class as the location for workarounds. CORS middleware typically handles origin validation logic, and the cookie-related bypass condition would be implemented in the middleware's request handling flow (call method). The high confidence comes from: 1) Direct reference to CustomCORSMiddleware in mitigation guidance 2) Logical placement of CORS validation logic in middleware 3) Alignment with described vulnerability pattern (conditional origin check bypass).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **W**t kin* o* vuln*r**ility is it? W*o is imp**t**?** T*is vuln*r**ility is r*l*t** to ***ORS ori*in v*li**tion**, w**r* t** *r**io s*rv*r **ils to v*li**t* t** r*qu*st ori*in w**n * *ooki* is pr*s*nt. T*is *llows *n *tt**k*r’s w**sit* t

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions t** *ustom*ORSMi**l*w*r* *l*ss *s t** lo**tion *or work*roun*s. *ORS mi**l*w*r* typi**lly **n*l*s ori*in v*li**tion lo*i*, *n* t** *ooki*-r*l*t** *yp*ss *on*ition woul* ** impl*m*nt** in t** mi**l*w*r