Gradio Open Redirect Vulnerability in OAuth Flow

A moderate open redirect vulnerability has been identified in Gradio, an open-source Python package for quick prototyping, prior to version 6.6.0. The issue arises in the '_redirect_to_target()' function within Gradio's OAuth flow, where an unvalidated '_target_url' query parameter is accepted. This flaw allows redirection to arbitrary external URLs and impacts the '/logout' and '/login/callback' endpoints on Gradio apps with OAuth enabled, such as those running on Hugging Face Spaces with the 'gr.LoginButton' component. An attacker could exploit this by crafting a URL that redirects users to a malicious site after logout, taking advantage of the trust associated with the 'hf.space' domain.

Impact

Exploitation of this vulnerability could lead to phishing attacks, where users are redirected to a malicious site, potentially causing harm or deception. However, there is no direct data exposure or server-side impact.

Remediation

Users can update to Gradio version 6.6.0 or later, where the '_target_url' parameter is sanitized to remove any scheme or host, allowing only the path, query, and fragment.