Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-28415

4.3 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): LOW
Availability impact (A): NONE

created 1 month, 4 weeks ago Activity log

Created suggestion 1 month, 4 weeks ago

Gradio has Open Redirect in OAuth Flow

Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.6.0, the _redirect_to_target() function in Gradio's OAuth flow accepts an unvalidated _target_url query parameter, allowing redirection to arbitrary external URLs. This affects the /logout and /login/callback endpoints on Gradio apps with OAuth enabled (i.e. apps running on Hugging Face Spaces with gr.LoginButton). Starting in version 6.6.0, the _target_url parameter is sanitized to only use the path, query, and fragment, stripping any scheme or host.

References

https://github.com/gradio-app/gradio/security/advisories/GHSA-pfjf-5gxr-995x x_refsource_CONFIRM

Affected products

gradio

==< 6.6.0

Matching in nixpkgs

pkgs.python312Packages.gradio

Python library for easily interacting with trained machine learning models

nixos-25.11 5.49.1
- nixos-25.11-small 5.49.1
- nixpkgs-25.11-darwin 5.49.1

pkgs.python313Packages.gradio

Python library for easily interacting with trained machine learning models

nixos-unstable 6.5.1
- nixpkgs-unstable 6.5.1
- nixos-unstable-small 6.5.1
nixos-25.11 5.49.1
- nixos-25.11-small 5.49.1
- nixpkgs-25.11-darwin 5.49.1

pkgs.python314Packages.gradio

Python library for easily interacting with trained machine learning models

nixos-unstable 6.5.1
- nixpkgs-unstable 6.5.1
- nixos-unstable-small 6.5.1

pkgs.python312Packages.gradio-pdf

Python library for easily interacting with trained machine learning models

nixos-25.11 0.0.22
- nixos-25.11-small 0.0.22
- nixpkgs-25.11-darwin 0.0.22

pkgs.python313Packages.gradio-pdf

Python library for easily interacting with trained machine learning models

nixos-unstable 0.0.23
- nixpkgs-unstable 0.0.23
- nixos-unstable-small 0.0.23
nixos-25.11 0.0.22
- nixos-25.11-small 0.0.22
- nixpkgs-25.11-darwin 0.0.22

pkgs.python314Packages.gradio-pdf

Python library for easily interacting with trained machine learning models

nixos-unstable 0.0.23
- nixpkgs-unstable 0.0.23
- nixos-unstable-small 0.0.23

pkgs.pkgsRocm.python3Packages.gradio

Python library for easily interacting with trained machine learning models

nixos-unstable 6.5.1
- nixpkgs-unstable 6.5.1
- nixos-unstable-small 6.5.1
nixos-25.11 5.49.1
- nixos-25.11-small 5.49.1
- nixpkgs-25.11-darwin 5.49.1

pkgs.python312Packages.gradio-client

Lightweight library to use any Gradio app as an API

nixos-25.11 1.12.1
- nixos-25.11-small 1.12.1
- nixpkgs-25.11-darwin 1.12.1

pkgs.python313Packages.gradio-client

Lightweight library to use any Gradio app as an API

nixos-unstable 2.0.1
- nixpkgs-unstable 2.0.1
- nixos-unstable-small 2.0.1
nixos-25.11 1.12.1
- nixos-25.11-small 1.12.1
- nixpkgs-25.11-darwin 1.12.1

pkgs.python314Packages.gradio-client

Lightweight library to use any Gradio app as an API

nixos-unstable 2.0.1
- nixpkgs-unstable 2.0.1
- nixos-unstable-small 2.0.1

pkgs.pkgsRocm.python3Packages.gradio-pdf

Python library for easily interacting with trained machine learning models

nixos-unstable 0.0.23
- nixpkgs-unstable 0.0.23
- nixos-unstable-small 0.0.23
nixos-25.11 0.0.22
- nixos-25.11-small 0.0.22
- nixpkgs-25.11-darwin 0.0.22

pkgs.pkgsRocm.python3Packages.gradio-client

Lightweight library to use any Gradio app as an API

nixos-unstable 2.0.1
- nixpkgs-unstable 2.0.1
- nixos-unstable-small 2.0.1
nixos-25.11 1.12.1
- nixos-25.11-small 1.12.1
- nixpkgs-25.11-darwin 1.12.1

Package maintainers

@pbsds Peder Bergebakken Sundt <pbsds@hotmail.com>