Описание
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. gr.LoginButton) are used. When a user visits /login/huggingface, the server retrieves its own Hugging Face access token via huggingface_hub.get_token() and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string "-v4", making the payload trivially decodable. Version 6.6.0 fixes the issue.
A flaw was found in Gradio. When Gradio applications run outside of Hugging Face Spaces and use OAuth components, they automatically enable "mocked" OAuth routes. A remote attacker can exploit this by visiting the /login/huggingface endpoint, which causes the server to retrieve its Hugging Face (HF) access token and store it in the visitor's session cookie. Since the session cookie is signed with a hardcoded secret, the attacker can easily decode the payload and steal the server owner's HF token, leading to information disclosure.
Отчет
This vulnerability in Gradio applications, specifically affecting ansible-chatbot-service in Ansible Services, allows a remote attacker to obtain the server owner's Hugging Face access token. This occurs when network-accessible Gradio applications utilize OAuth components outside of Hugging Face Spaces, leading to the automatic enablement of "mocked" OAuth routes. The session cookie, containing the token, is signed with a hardcoded secret, making it trivially decodable.
Меры по смягчению последствий
To mitigate this issue, restrict network access to Gradio applications that utilize OAuth components and are deployed outside of Hugging Face Spaces. Implement firewall rules or a reverse proxy to limit exposure of the application's /login/huggingface endpoint to trusted networks only. If feasible, avoid using OAuth components in self-hosted Gradio deployments until a version with a proper fix is available.
Дополнительная информация
Статус:
EPSS
3.7 Low
CVSS3
Связанные уязвимости
Gradio is an open-source Python package designed for quick prototyping. Starting in version 4.16.0 and prior to version 6.6.0, Gradio applications running outside of Hugging Face Spaces automatically enable "mocked" OAuth routes when OAuth components (e.g. `gr.LoginButton`) are used. When a user visits `/login/huggingface`, the server retrieves its own Hugging Face access token via `huggingface_hub.get_token()` and stores it in the visitor's session cookie. If the application is network-accessible, any remote attacker can trigger this flow to steal the server owner's HF token. The session cookie is signed with a hardcoded secret derived from the string `"-v4"`, making the payload trivially decodable. Version 6.6.0 fixes the issue.
Gradio: Mocked OAuth Login Exposes Server Credentials and Uses Hardcoded Session Secret
EPSS
3.7 Low
CVSS3