Gradio Server-Side Request Forgery Vulnerability in External Space Loading

A Server-Side Request Forgery (SSRF) vulnerability exists in Gradio versions prior to 6.6.0. This vulnerability allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses 'gr.load()' to load the attacker-controlled Space, the harmful 'proxy_url' from the configuration is trusted and added to an allowlist. This enables the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.

Impact

Exploitation of this vulnerability could lead to unauthorized access to internal services and cloud metadata endpoints, allowing for actions such as stealing cloud credentials or accessing sensitive internal APIs and services.

Reproduction

To reproduce this vulnerability, an attacker must create a malicious Gradio Space that includes a 'proxy_url' pointing to a desired internal endpoint or cloud metadata service. Once the Space is created, the victim must load it using the 'gr.load()' function. After the Space is loaded, the attacker can exploit the injected 'proxy_url' to access the specified endpoint through the victim's Gradio application.

Remediation

Users are advised to update Gradio to version 6.6.0 or later, where this vulnerability has been fixed.