GHSA-m842-4qm8-7gpq
Gradio allows users to access arbitrary files
Details
### Impact This vulnerability allows users of Gradio applications that have a public link (such as on Hugging Face Spaces) to access files on the machine hosting the Gradio application. This involves intercepting and modifying the network requests made by the Gradio app to the server.
### Patches Yes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher.
Fixed in: https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7 CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-1728
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/gradio-app/gradio/security/advisories/GHSA-m842-4qm8-7gpq [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-1728 [ADVISORY]
- https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a0165beb43446114eec7 [WEB]
- https://github.com/gradio-app/gradio [PACKAGE]
- https://huntr.com/bounties/9bb33b71-7995-425d-91cc-2c2a2f2a068a [WEB]