Data Validation Vulnerability in Gradio Components Could Lead to Arbitrary File Leaks
CVE-2024-47868

7.5HIGH

Key Information:

Vendor: Gradio-app
Status: Gradio
Vendor: CVE Published:; 10 October 2024

What is CVE-2024-47868?

The Gradio open-source Python package contains a data validation vulnerability that affects several components, permitting arbitrary file leaks during the post-processing stage. Attackers can exploit this vulnerability by crafting requests that bypass existing input validation constraints. Compromised components, including DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton, Chatbot, and MultimodalTextbox, are susceptible to leaking sensitive files when not adequately secured. For example, an attacker might manipulate a Dropdown list linked to a DownloadButton to access files such as '/etc/passwd'. The vulnerability also impacts Code through direct file reading in preprocess, as well as components like ParamViewer and Dataset that convert dictionaries to FileData. It is crucial to upgrade to Gradio version 5.0 or later, as no workarounds are available to mitigate the risk associated with this vulnerability.

Affected Version(s)

gradio < 5.0

References

https://github.com/gradio-app/gradio/security/advisories/...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 10, 2024

Gradio-app

What is CVE-2024-47868?

Affected Version(s)

References

CVSS V3.1

Timeline