CVE-2024-10624
Regular Expression Denial of Service (ReDoS) in gradio-app/gradio
We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.
Please see our statement on Data Privacy.
Regular Expression Denial of Service (ReDoS) in gradio-app/gradio
A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.
Reserved 2024-10-31 | Published 2025-03-20 | Updated 2025-03-20 | Assigner @huntr_aiCWE-400 Uncontrolled Resource Consumption
huntr.com/bounties/e8d0b248-8feb-4c23-9ef9-be4d1e868374
Support options
