CVE-2024-8966

CVE-2024-8966 is a vulnerability in the file upload process of the Gradio library from gradio-app/gradio, specifically affecting the @gradio/video@0.10.2 component. It enables a Denial of Service (DoS) attack by allowing an attacker to append a large number of characters to the end of a multipart boundary in an upload request. This forces the system to continuously process each character while issuing warnings, which can render the Gradio application inaccessible for extended periods and cause significant service disruption.

The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), meaning it is exploitable remotely over the network with low attack complexity, no required privileges or user interaction, and results in high availability impact but no effects on confidentiality or integrity. Unauthenticated attackers who can reach a vulnerable Gradio instance's file upload endpoint are able to trigger the condition, leading to prolonged downtime and resource exhaustion classified under CWE-770.

Advisories reference a patch in the Gradio repository at https://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47, which addresses the issue. The vulnerability was disclosed via a Huntr bounty report at https://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2. Practitioners should update to patched versions of Gradio to mitigate exposure.