CRITICAL 9.8

PYSEC-2024-274

Details

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user attacking himself.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / gradio

Introduced in: 0

No fixed version published yet for gradio (pip). Pin to a known-safe version or switch to an alternative.

References

https://github.com/advisories/GHSA-9v2f-6vcg-3hgv [ADVISORY]
https://github.com/gradio-app/gradio/issues/8853 [REPORT]
https://github.com/Aaron911/PoC/blob/main/Gradio.md [EVIDENCE]