CVE-2024-10624
Regular Expression Denial of Service (ReDoS) in gradio-app/gradio
In short
A weakness in the gr.Datetime component of Gradio allows attackers to send specially crafted inputs that make the server spend excessive CPU time processing a regular expression, freezing the application and denying service to legitimate users.
Technical detail
A ReDoS vulnerability in the gr.Datetime component's regex pattern `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` permits unauthenticated remote attackers to trigger polynomial-time regex matching via crafted HTTP requests, exhausting CPU resources and causing denial of service.
Summary generated and translated by AI from the official description.
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected products
gradio-app · gradio-app/gradioWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →