Gradio Mocked OAuth Login Vulnerability Allows Access Token Theft

A vulnerability exists in Gradio versions 4.16.0 prior to 6.6.0, where applications running outside of Hugging Face Spaces automatically activate 'mocked' OAuth routes when OAuth components are utilized. This flaw allows remote attackers to steal the server owner's Hugging Face access token. The token is retrieved through 'huggingface_hub.get_token()' and stored in the session cookie, which is signed with a hardcoded secret that can be easily decoded. The issue arises because the mocked OAuth flow injects real tokens into the session of every visitor, creating a pathway for token theft if the application is network-accessible.

Impact

Exploitation of this vulnerability leads to unauthorized access to the server owner's Hugging Face token, which could be misused for actions permitted by the token.

Reproduction

To reproduce this vulnerability, deploy a Gradio application using OAuth components, such as 'gr.LoginButton', and ensure it is accessible over the network. The application must be running outside of a Hugging Face Space, with a valid Hugging Face token configured on the host machine. Once the application is live, send a GET request to '/login/huggingface'. The server will respond with a redirect to '/login/callback', where the session cookie containing the Hugging Face token will be set. This cookie can then be base64-decoded to extract the access token.

Remediation

Users can upgrade to Gradio version 6.6.0 or later, where this vulnerability has been fixed.