High

gradio

Arbitrary Local File Read in Gradio via Component Method Invocation

A vulnerability in Gradio version 4.12.0 allows attackers to read arbitrary files on the server by exploiting the `/component_server` endpoint to call any method on a `Component` class, specifically `move_resource_to_block_cache()`. This issue was patched in version 4.13.0.

Available publicly on Apr 16 2024

7.5

CVE:

CVE-2024-1561

CWE:

29:Path Traversal: '\..\filename'

CVSS:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Credit:

ozelis
AssessDetect

Available

Remediate
Remediation Steps
  • Update Gradio to version 4.13.0 or later.
  • Review and restrict access to sensitive files that could be targeted.
  • Implement additional input validation on server endpoints to prevent unauthorized method invocation.
  • Regularly audit and monitor application logs for suspicious activity.
Patch Details
  • Fixed Version: 4.13.0
  • Patch Commit: https://github.com/gradio-app/gradio/commit/24a583688046867ca8b8b02959c441818bdb34a2
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.