CVE-2024-10569
denial of service vulnerability in gradio (PyPI)
What is CVE-2024-10569 About?
This denial of service vulnerability in gradio-app/gradio's dataframe component allows for a zip bomb attack. The component's use of `pd.read_csv` with support for compressed files makes it susceptible to maliciously crafted archives. Successful exploitation leads to a server crash, causing service interruption, and is relatively easy to trigger by uploading a malicious file.
Affected Software
Technical Details
The vulnerability resides in the dataframe component of gradio-app/gradio (specifically version git 98cbcae) where user-provided input values are processed using pd.read_csv. This function inherently supports processing compressed files. An attacker can craft a 'zip bomb' – a highly compressed archive that, when decompressed, expands to an extremely large size. When such a file is uploaded to the Gradio application, pd.read_csv attempts to decompress and process it, consuming excessive system resources (CPU, memory, disk I/O). This resource exhaustion leads to a server crash, effectively causing a denial of service for the Gradio application.
What is the Impact of CVE-2024-10569?
Successful exploitation may allow attackers to cause a denial of service, leading to system unresponsiveness, service interruptions, and potential data corruption.
What is the Exploitability of CVE-2024-10569?
Exploitation of this denial of service vulnerability is of low complexity. It requires an attacker to simply upload a specially crafted zip bomb file to the Gradio application's dataframe component. No specific authentication or privilege is required beyond the ability to upload files to the application. This is a remote vulnerability, as the malicious file can be uploaded over the network. The key prerequisite is that the Gradio application must be configured in a way that allows file uploads to the vulnerable dataframe component. The presence of pd.read_csv processing user-uploaded compressed files without proper resource limits significantly increases the likelihood and ease of exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-10569?
Available Upgrade Options
- No fixes available
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/gradio-app/gradio/blob/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/components/dataframe.py#L263
- https://nvd.nist.gov/vuln/detail/CVE-2024-10569
- https://osv.dev/vulnerability/GHSA-7xmc-vhjp-qv5q
- https://huntr.com/bounties/7192bcbb-08a3-4d22-a321-9c6d19dbfc74
- https://huntr.com/bounties/7192bcbb-08a3-4d22-a321-9c6d19dbfc74
- https://github.com/gradio-app/gradio
What are Similar Vulnerabilities to CVE-2024-10569?
Similar Vulnerabilities: CVE-2023-37930 , CVE-2021-29462 , CVE-2020-11003 , CVE-2018-11234 , CVE-2018-1000858
