We audited Gradio 5 to ensure your machine learning apps are secure.
Over the past few years, Gradio (over 6 million Pypi installations each month) has become the default way to build machine learning web applications in Python. With just a few lines of code, you can create user interfaces for image generation apps, chatbots, and other types of ML apps, and share them with others using Gradio’s built-in sharing links and Hugging Face Spaces.
import gladio as grams
surely generate(seed, prompt): …
return Image gr.Interface( generation, input=(gr.Slider(), gr.Textbox()), output=(gr.Image()) ).launch(share=truth)
Gradio’s goal is to enable developers to build web applications that are ideal for out-of-the-box machine learning use cases. This means developers can easily build applications such as:
Easily scales to large numbers of concurrent users Accessible to as many users as possible Provides a consistent UI, UX, and theme Works reliably across many browsers and devices
…you don’t have to be an expert in scaling, accessibility, or UI/UX!
Now we’ll add web security to this list. We commissioned Trail of Bits, a leading cybersecurity firm, to conduct an independent audit of Gradio. All security issues they discovered were fixed before Gradio 5 was released.
This means that machine learning apps built with Gradio 5 follow best practices when it comes to web security without making significant changes to your code.
Why do a security audit?
Over the past few years, the Gradio team has been working with the community to patch security vulnerabilities as they are discovered. But as Gradio grows in popularity (there are currently over 470,000 Gradio apps in Hugging Face Spaces), security has become even more important.
So with Gradio 5, we decided to take a different approach. Perform preemptive security audits of your Gradio codebase to ensure that machine learning applications built with Gradio 5 are secure by default.
We commissioned Trail of Bits to conduct an independent and comprehensive audit of Gradio. A team of AI and application security experts has identified security risks in the Gradio codebase in four common scenarios:
Gradio apps running locally Gradio apps deployed to Hugging Face Spaces or other servers Gradio apps shared with built-in share links Supply chain vulnerabilities due to Gradio CI pipelines
We then worked closely with Trail of Bits to identify mitigation strategies for each of these risks. While Gradio’s simplicity and ease of use are beneficial to developers, it also poses unique security challenges because it eliminates the need for developers to configure complex security measures such as CORS and CSP policies. I did.
By the end of the collaboration, we had remediated all security risks identified by Trail of Bits. All fixes have been verified by Trail of Bits and are included in the Gradio 5.0 release. Although it is impossible to prove that there are no security vulnerabilities, this is an important step to give you peace of mind that your Gradio app is safe.
Main findings
Below is a summary of the top security vulnerabilities discovered by Trail of Bits that correspond to the four scenarios listed above. In the spirit of transparency and open source, we are publishing our full security report, which provides details on each of these issues.
Gradio app running locally
TOB-Gradio-1 and TOB-Gradio-2: A misconfigured server CORS policy allows an attacker to steal access tokens when visiting a malicious website in the context of an authenticated Gradio server. , it becomes possible to take over the victim’s account.
Gradio apps deployed to Hugging Face Spaces or other servers
TOB-Gradio-3: Full read GET-based SSRF allows an attacker to send requests to and read responses from any endpoint, including endpoints on a user’s internal network.
TOB-Gradio-10: Upload of any file type that allows an attacker to host an XSS payload on your Gradio server. In the context of an authenticated Gradio server, an attacker could use this to take over a user account when the victim visits the attacker’s malicious website.
TOB-Gradio-13: Race condition that allows an attacker to reroute user traffic to the server and steal uploaded files and chatbot conversations.
TOB-Gradio-16: Post-processing functionality in several components could allow an attacker to leak arbitrary files with a very simple Gradio server configuration.
Gradio apps shared with built-in share links
TOB-GRADIO-19: Remote code execution (RCE) by root user on Gradio API server where nginx misconfiguration exposes unauthenticated Docker API. This allows the attacker to provide the malicious host and port in step 2 of the diagram and create all frp tunnels to a malicious server that logs all user traffic, including uploaded files and chatbox conversations. It is now possible to redirect.
TOB-Gradio-11: Communication between frp client and frp server lacks robust encryption, allowing an attacker to intercept the requests (requests in steps 6 and 7 in the diagram above) and capture the data being sent. May be read and modified. exchanged with the frp server.
Supply chain vulnerabilities caused by Gradio CI pipelines
TOB-Gradio-25: Some GitHub Actions workflows in Gradio repositories use third-party actions pinned to tags or branch names instead of full commit SHAs. This allows a malicious attacker to silently modify actions, potentially leading to tampering with application releases and leaking secrets.
Separately, GitHub’s security researchers believe that GitHub’s actions could potentially allow untrusted code execution or secret disclosure if an attacker triggers a workflow and craftily dumps the GitHub runner’s memory. It was reported that there is.
For the future
We are very grateful to Trail of Bits for their comprehensive security audit of Gradio and validation of the mitigations we have implemented in Gradio 5.
We will continue to work with the security community to identify and mitigate security issues in Gradio. We also add security unit tests to our test suites, fuzzer tests specifically designed to identify potential vulnerabilities, and use static analysis tools like Semgrep in CI to identify common security issues in our code. detection and prevent security regressions.
As we continue to develop Gradio 5 (and we have a lot planned!), we’ll do our part to make machine learning applications better and more secure by developing in a security-first way. I am working hard on this.
Install Gradio 5 now.
pip install –upgrade gradio
Then start building your first Gradio 5 application.
