Gradio UploadButton Component Vulnerable to Local File Inclusion
CVE-2024-1728

7.5HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio-app/gradio
Vendor: CVE Published:; 10 April 2024

What is CVE-2024-1728?

Gradio, a popular framework for building machine learning applications, has a local file inclusion vulnerability resulting from inadequate validation of user-supplied input within the UploadButton component. This flaw enables attackers to exploit the system by crafting malicious requests that manipulate the file path directed to the /queue/join endpoint. As a consequence, arbitrary files on the server's filesystem can be accessed, including sensitive files like private SSH keys. This vulnerability highlights critical weaknesses in the file upload process, as it permits unintended file redirections, potentially paving the way for more severe attacks, including remote code execution.

Affected Version(s)

gradio-app/gradio < 4.19.2

References

https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f...

https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa...

EPSS Score

76% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2024
Vulnerability Reserved
Feb 21, 2024

Gradio-app

What is CVE-2024-1728?

Affected Version(s)

References

EPSS Score

CVSS V3.1

Timeline