Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (vulncheck) · only source for this CVE.
CVSS VectorVendor: vulncheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment.
AnalysisAI
Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).
Technical ContextAI
The flaw lives in gradio/routes.py, which exposes a /proxy= reverse-proxy used to fetch sibling Hugging Face Spaces. Pre-fix code instantiated a single module-level httpx.AsyncClient and reused it via client.build_request/client.send for every proxied request. An httpx.AsyncClient carries a persistent cookie jar, so Set-Cookie headers from one upstream response were retained and re-sent on later requests to other hosts under the shared parent domain. This is a textbook CWE-384 (Session Fixation): a session/cookie value that should be per-request and per-tenant is instead carried across trust boundaries, letting an attacker pre-set the cookie used in victims' sessions. The vendor fix keeps the connection pool warm by sharing only an httpx.AsyncHTTPTransport (_proxy_transport) while creating a fresh httpx.AsyncClient per proxy call, isolating cookie jars; build_proxy_request was refactored to return (url, headers) rather than a client-bound request so no AsyncClient is shared.
RemediationAI
Vendor-released patch: Gradio 6.15.0 - upgrade to 6.15.0 or later, which isolates per-request cookie jars in /proxy= handling (commit feb7237d01f359d2ad4ee42d00344e61692b3b39, PR https://github.com/gradio-app/gradio/pull/13384, release https://github.com/gradio-app/gradio/releases/tag/gradio@6.15.0). If immediate upgrade is not possible, the concrete compensating control is to disable or block access to the reverse-proxy functionality: restrict or remove use of the /proxy= endpoint so untrusted/attacker-controlled upstream Spaces cannot return cookies into the shared client - the trade-off is that any Gradio feature relying on proxying sibling Spaces (for example embedded or chained Space content) will stop working. In shared hosting, avoid co-locating untrusted Spaces in the same Gradio process and segregate tenants, accepting the operational cost of reduced consolidation. Consult the VulnCheck advisory (https://www.vulncheck.com/advisories/gradio-cookie-injection-via-shared-pro) and GHSA-2mr9-9r47-px2g for vendor guidance.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32547
GHSA-7hp7-4p35-3cx2