HIGH 8.2

GHSA-pgfv-gvc5-prfg

Gradio Vulnerable to Arbitrary File Deletion

Details

A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output format, an attacker can reset any file to an empty file, causing a denial of service (DOS) on the server.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / gradio

Introduced in: 4.0.0

No fixed version published yet for gradio (pip). Pin to a known-safe version or switch to an alternative.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-10648 [ADVISORY]
https://github.com/gradio-app/gradio [PACKAGE]
https://github.com/gradio-app/gradio/blame/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/processing_utils.py#L234 [WEB]
https://huntr.com/bounties/667d664d-8189-458c-8ed7-483fe8f33c76 [WEB]