Vulnerability CVE-2024-1727
Published: 2024-03-21

Description:
To prevent malicious 3rd party websites from making requests to Gradio applications running locally, this PR tightens the CORS rules around Gradio applications. In particular, it checks to see if the host header is localhost (or one of its aliases) and if so, it requires the origin header (if present) to be localhost (or one of its aliases) as well.

Type:

CWE-352

 (Cross-Site Request Forgery (CSRF))

 References:
https://huntr.com/bounties/a94d55fb-0770-4cbe-9b20-97a978a2ffff
https://github.com/gradio-app/gradio/commit/84802ee6a4806c25287344dce581f9548a99834a
Copyright 2026, cxsecurity.com

 

Back to Top