CVE-2024-8966 — Gradio DOS in multipart boundry while uploading the file

Description

A vulnerability in the file upload process of gradio-app/gradio version @gradio/video@0.10.2 allows for a Denial of Service (DoS) attack. An attacker can append a large number of characters to the end of a multipart boundary, causing the system to continuously process each character and issue warnings. This can render Gradio inaccessible for extended periods, disrupting services and causing significant downtime.

How to fix CVE-2024-8966

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2024-8966 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 5.22.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-8966
PATCHgithub.com/gradio-app/gradio
WEBgithub.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47
WEBhuntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2