Gradio App Vulnerability Allows Unauthorized File Read Access
CVE-2024-1561
What is CVE-2024-1561?
A significant vulnerability exists within the Gradio product where the /component_server endpoint inadequately manages method invocations on the Component class while allowing input directed by attackers. By leveraging the move_resource_to_block_cache() method from the Block class, an attacker can copy any file residing on the filesystem to a temporary directory, making it retrievable. This local file read access vulnerability is particularly concerning for applications exposed to the internet using launch(share=True), as it provides unauthorized remote access to files on the host system. Additionally, applications hosted on huggingface.co may also be susceptible to this vulnerability, potentially revealing sensitive information including API keys and credentials stored within environment variables.
Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.
Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.
Affected Version(s)
gradio-app/gradio < 4.13.0
References
EPSS Score
93% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved