CVE-2024-1183

MEDIUM NUCLEI

gradio 3.41.0-4.10.0 - Server-Side Request Forgery via File Parameter

Title source: llm

Exploitation Summary

CVE-2024-1183 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attacker can discern the status of internal ports based on the presence of a 'Location' header or a 'File not allowed' error in the response.

Nuclei Templates (1)

Gradio - Server Side Request Forgery

MEDIUMVERIFIEDby DhiyaneshDK

Shodan: html:"__gradio_mode__"

References (2)

Core 2

Core References

Patch

https://github.com/gradio-app/gradio/commit/2ad3d9e7ec6c8eeea59774265b44f11df7394bb4

View Patch ZIP pw:eip

Exploit, Third Party Advisory

https://huntr.com/bounties/103434f9-87d2-42ea-9907-194a3c25007c

Scores

CVSS v3 6.5

EPSS 0.0178

EPSS Percentile 75.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (2)

gradio_project/gradio 3.41.0 - 4.11.0

pypi/gradio 0 - 4.10.0PyPI

Published Apr 16, 2024

Tracked Since Feb 18, 2026