{"data":{"id":"f353b05c-13f0-4aa9-ac32-7efce6a698bf","title":"CVE-2024-47867: Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity chec","summary":"Gradio, an open-source Python package for prototyping, has a vulnerability where it downloads an FRP client (a tool for secure data tunneling) without checking if the file has been tampered with. An attacker who controls the download server could replace the legitimate FRP client with malicious code, and Gradio wouldn't detect this because it doesn't verify the file's checksum (a unique fingerprint) or signature (a digital seal of authenticity).","solution":"There is no direct workaround without upgrading. Users can manually validate the integrity of the downloaded FRP client by implementing checksum or signature verification in their own environment to ensure the binary hasn't been tampered with.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2024-47867","publishedAt":"2024-10-11T03:15:02.640Z","cveId":"CVE-2024-47867","cweIds":["CWE-345"],"cvssScore":"7.5","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["Gradio"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00222,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}