8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-47084

GHSA ID

GHSA-3c67-5hwx-f6wx

EPSS Score

0.33431%

CWE

CWE-285

Published

10/10/2024

Updated

1/21/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-47084

CVE-2024-47084: Gradios's CORS origin validation is not performed when the request has a cookie

Impact

What kind of vulnerability is it? Who is impacted?

This vulnerability is related to CORS origin validation, where the Gradio server fails to validate the request origin when a cookie is present. This allows an attacker’s website to make unauthorized requests to a local Gradio server. Potentially, attackers can upload files, steal authentication tokens, and access user data if the victim visits a malicious website while logged into Gradio. This impacts users who have deployed Gradio locally and use basic authentication.

Patches

Yes, please upgrade to gradio>=4.44 to address this issue.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

As a workaround, users can manually enforce stricter CORS origin validation by modifying the CustomCORSMiddleware class in their local Gradio server code. Specifically, they can bypass the condition that skips CORS validation for requests containing cookies to prevent potential exploitation.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-47084

GHSA ID

GHSA-3c67-5hwx-f6wx

EPSS Score

0.33431%

CWE

CWE-285

Published

10/10/2024

Updated

1/21/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
gradio	pip	< 4.44.0	4.44.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability description explicitly mentions the CustomCORSMiddleware class as the location for workarounds. CORS middleware typically handles origin validation logic, and the cookie-related bypass condition would be implemented in the middleware's request handling flow (call method). The high confidence comes from: 1) Direct reference to CustomCORSMiddleware in mitigation guidance 2) Logical placement of CORS validation logic in middleware 3) Alignment with described vulnerability pattern (conditional origin check bypass).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t **W**t kin* o* vuln*r**ility is it? W*o is imp**t**?** T*is vuln*r**ility is r*l*t** to ***ORS ori*in v*li**tion**, w**r* t** *r**io s*rv*r **ils to v*li**t* t** r*qu*st ori*in w**n * *ooki* is pr*s*nt. T*is *llows *n *tt**k*r’s w**sit* t

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions t** *ustom*ORSMi**l*w*r* *l*ss *s t** lo**tion *or work*roun*s. *ORS mi**l*w*r* typi**lly **n*l*s ori*in v*li**tion lo*i*, *n* t** *ooki*-r*l*t** *yp*ss *on*ition woul* ** impl*m*nt** in t** mi**l*w*r

8.8

Basic Information

Concerned about an active attack path?

CVE-2024-47084: Gradios's CORS origin validation is not performed when the request has a cookie

Impact

Patches

Workarounds

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI