{"data":{"id":"1a6fa642-16a0-4eac-976d-ccd02071c217","title":"CVE-2024-48052: In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The re","summary":"Gradio version 4.42.0 and earlier contain a server-side request forgery vulnerability (SSRF, a flaw where a server can be tricked into making requests to unintended targets) in the gr.DownloadButton function. The issue exists because the save_url_to_cache function doesn't validate URLs properly, allowing attackers to download local files and access sensitive information from the server.","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-48052","publishedAt":"2024-11-05T04:15:04.337Z","cveId":"CVE-2024-48052","cweIds":["CWE-918"],"cvssScore":"6.5","cvssSeverity":"medium","severity":"medium","attackType":["rag_poisoning"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00092,"patchAvailable":null,"disclosureDate":null,"capecIds":["CAPEC-664"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}