Regular Expression Denial of Service (ReDoS) in gradio-app/gradio

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the gradio-app/gradio repository, affecting the gr.Datetime component. The affected version is git commit 98cbcae. The vulnerability arises from the use of a regular expression `^(?:\s*now\s*(?:-\s*(\d+)\s*([dmhs]))?)?\s*$` to process user input. In Python's default regex engine, this regular expression can take polynomial time to match certain crafted inputs. An attacker can exploit this by sending a crafted HTTP request, causing the gradio process to consume 100% CPU and potentially leading to a Denial of Service (DoS) condition on the server.

N/A

CWE-1333

Gradio 资源管理错误漏洞

Gradio是Gradio开源的一个开源 Python 库，是通过友好的 Web 界面演示机器学习模型的方法。 Gradio 98cbcae版本存在资源管理错误漏洞，该漏洞源于gr.Datetime组件使用的正则表达式可能导致正则表达式拒绝服务，攻击者可通过发送特制HTTP请求使gradio进程消耗100% CPU，从而导致服务器拒绝服务。

N/A

N/A