HIGH 7.5

PYSEC-2023-249

Details

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the `/file` route which made them susceptible to file traversal attacks in which an attacker could access arbitrary files on a machine running a Gradio app with a public URL (e.g. if the demo was created with `share=True`, or on Hugging Face Spaces) if they knew the path of files to look for. This issue has been patched in version 4.11.0.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / gradio

Introduced in: 0 Fixed in: 1b9d4234d6c25ef250d882c7b90e1f4039ed2d76

Fix pip install --upgrade 'gradio>=1b9d4234d6c25ef250d882c7b90e1f4039ed2d76'

References

https://github.com/gradio-app/gradio/security/advisories/GHSA-6qm2-wpxq-7qh2 [ADVISORY]
https://github.com/gradio-app/gradio/commit/1b9d4234d6c25ef250d882c7b90e1f4039ed2d76 [FIX]
https://github.com/gradio-app/gradio/commit/7ba8c5da45b004edd12c0460be9222f5b5f5f055 [FIX]