CVE-2024-47868: Gradio has several components with post-process steps allow arbitrary file leaks

October 10, 2024 (updated January 21, 2025)

What kind of vulnerability is it? Who is impacted?

This is a data validation vulnerability affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This issue could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities, such as issue TOB-GRADIO-15. The components most at risk are those that return or handle file data.

References

github.com/advisories/GHSA-4q3c-cj7g-jcwf
github.com/gradio-app/gradio
github.com/gradio-app/gradio/security/advisories/GHSA-4q3c-cj7g-jcwf
github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-217.yaml
nvd.nist.gov/vuln/detail/CVE-2024-47868

Code Behaviors & Features

Detect and mitigate CVE-2024-47868 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →