Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-pfjf-5gxr-995x

Опубликовано: 01 мар. 2026
Источник: github
Github: Прошло ревью
CVSS3: 4.3

Описание

Gradio has an Open Redirect in its OAuth Flow

Summary

The _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton).

Details

def _redirect_to_target(request, default_target="/"): target = request.query_params.get("_target_url", default_target) return RedirectResponse(target) # No validation

An attacker can craft a URL like https://my-space.hf.space/logout?_target_url=https://evil.com/phishing that redirects the user to an external site after logout. Because the URL originates from a trusted hf.space domain, users are more likely to trust the link.

Impact

Phishing — an attacker can use the trusted domain to redirect users to a malicious site. No direct data exposure or server-side impact.

Fix

The _target_url parameter is now sanitized to only use the path, query, and fragment, stripping any scheme or host.

Ссылки

Пакеты

Наименование

gradio

pip
Затронутые версииВерсия исправления

< 6.6.0

6.6.0

EPSS

Процентиль: 1%
0.0001
Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2026-28415

Дефекты

CWE-200
CWE-284
CWE-330
CWE-601

Связанные уязвимости

redhat логотип

CVE-2026-28415

CVSS3: 4.3
redhat
28 дней назад

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.

nvd логотип

CVE-2026-28415

CVSS3: 4.3
nvd
28 дней назад

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.

EPSS

Процентиль: 1%
0.0001
Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2026-28415

Дефекты

CWE-200
CWE-284
CWE-330
CWE-601