Gradio allows users to access arbitrary files
Critical severity
GitHub Reviewed
Published
Sep 25, 2024
in
gradio-app/gradio
•
Updated Sep 27, 2024
Description
Published to the GitHub Advisory Database
Sep 25, 2024
Reviewed
Sep 25, 2024
Last updated
Sep 27, 2024
Impact
This vulnerability allows users of Gradio applications that have a public link (such as on Hugging Face Spaces) to access files on the machine hosting the Gradio application. This involves intercepting and modifying the network requests made by the Gradio app to the server.
Patches
Yes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher.
Fixed in: gradio-app/gradio@16fbe9c
CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1728
References