Gradio CORS Origin Validation Bypass Enables Cross-Origin Data Exfiltration

gradio.md

Gradio CORS Origin Validation Bypass Vulnerability

Summary

Gradio's CORS configuration is designed to protect internally deployed applications from attack vectors such as CSRF and data exfiltration attacks originating from external sources. However, the current implementation contains flaws that allow malicious actors to bypass the CORS origin validation, fixed at CVE-2024-47165. This vulnerability can be exploited to steal sensitive data from internally deployed Gradio applications, even when they are intended to be protected against such attacks.

• Status: Assigned
• CVE: CVE-2025-5320

Affected Version

Gradio <= 5.6.0

Impact

This vulnerability could allow unauthorized access to sensitive data from internal applications, posing significant risks in scenarios where Gradio is used for sensitive data processing or hosting secure applications.

Root Cause

Gradio utilizes the is_valid_origin method to determine the validity of incoming cross-origin requests. The method aims to block cross-origin requests for locally deployed applications by verifying if the Host header matches the predefined localhost_aliases.

Flaw in Validation Mechanism

1. Localhost Identification:
   • Gradio differentiates between locally deployed applications and public-facing ones by comparing the request Host header with localhost_aliases (e.g., 127.0.0.1, localhost). If a match is found, Gradio blocks cross-origin requests unless the Origin header matches localhost_aliases.
2. Inherent Trust for Non-Local Applications:
   • When the application is deemed public-facing (not matching localhost_aliases), Gradio allows all cross-origin requests without verifying the origin. This creates an unintended trust relationship.

• Exploitation Methods

  Attackers can exploit this flawed defensive mechanism by manipulating the target URL to bypass the origin validation in at least two ways:

  1. IPv6 Address Exploitation:
     • Requests made to http://[::ffff:7f00:1]:PORT/ bypass the origin check because IPv6 addresses mapped to localhost are not accounted for in localhost_aliases.
  2. Public Domain Resolving to Localhost:
     • By using a public domain that resolves to localhost, such as http://127.0.0.1.nip.io:PORT/, attackers can bypass the validation logic and send unauthorized cross-origin requests.

Proof of Concept (PoC)

Steps to Reproduce

• Deploy a demo Gradio app:

  • Use the provided Gradio demo script to host an application locally at 127.0.0.1:8686.

  python3 gradio.demo.py

• Deploy exploitation payloads on a different origin:

  • Use the following exploitations to demonstrate the bypass:
    • IPv6 Exploitation
    • Public Domain Exploitation

• Perform the attack:

  • Trigger the exploit by clicking the buttons on the exploitation pages. The actions mimic a malicious actor exfiltrating sensitive data from the internal application.

Results

The demonstration shows that both methods successfully bypass Gradio's CORS restrictions, allowing cross-origin requests to access data from the internal environment.

(Gradio CORS IPv6 Bypass)

(Gradio CORS Domain Bypass)

Recommended Mitigations

1. Enhance Origin Validation:
   • Add support for validating public domains that resolve to internal network. For example, resolves the Host header to determine if the IP address belongs to internal IP address.
2. Restrict CORS Policies for Public Deployments:
   • Enforce restrictive CORS rules for public-facing Gradio applications, specifying trusted origins explicitly. For example, enforce a whitelist-based origin validation approach for cross origin requests to public-facing applications.
3. Update Gradio Documentation:
   • Clearly document the risks associated with using the current CORS configuration and provide guidelines for secure deployments.