Gradio Regular Expression Denial-of-Service Vulnerability in Datetime Component

A Regular Expression Denial of Service (ReDoS) vulnerability has been identified in the Gradio library, specifically within the Datetime component, in version git commit 98cbcae. The issue arises from a regular expression used to process user input, which can be exploited to create a Denial of Service condition by causing the Gradio process to consume 100% of the CPU. This exploitation can lead to the server becoming unresponsive for an extended period.

Impact

Exploitation of this vulnerability causes the Python process running Gradio to use 100% CPU, leading to a Denial of Service condition on the server that can last for an arbitrary length of time.

Reproduction

To reproduce this vulnerability, create a simple Gradio application that uses the Datetime component. Once the application is running, send a crafted HTTP request that includes a specially formatted 'now' time string. The request should be designed to exploit the regular expression used by the Datetime component, causing the server to process the input for an extended period while consuming maximum CPU resources.