Impact
This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting share=True) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides.
Patches
The problem has been patched. Ideally, users should upgrade to gradio==3.19.1 or later where the FRP solution has been properly tested.
Credit
Credit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team
gregsadetsky Analyst
samueltc Analyst
Impact
This is a vulnerability which affects anyone using Gradio's share links (i.e. creating a Gradio app and then setting
share=True) with Gradio versions older than 3.13.1. In these older versions of Gradio, a private SSH key is sent to any user that connects to the Gradio machine, which means that a user could access other users' shared Gradio demos. From there, other exploits are possible depending on the level of access/exposure the Gradio app provides.Patches
The problem has been patched. Ideally, users should upgrade to
gradio==3.19.1or later where the FRP solution has been properly tested.Credit
Credit to Greg Sadetsky and Samuel Tremblay-Cossette for alerting the team