GHSA-6v6g-j5fq-hpvw: Local file inclusion in gradio

Skip to content

Navigation Menu

• • Actions

    Automate any workflow

  • Packages

    Host and manage packages

  • Security

    Find and fix vulnerabilities

  • Codespaces

    Instant dev environments

  • GitHub Copilot

    Write better code with AI

  • Code review

    Manage code changes

  • Issues

    Plan and track work

  • Discussions

    Collaborate outside of code

• • GitHub Sponsors

    Fund open source developers

*   The ReadME Project
    
    GitHub community articles

• • Enterprise platform

    AI-powered developer platform

• Pricing

Provide feedback

Saved searches****Use saved searches to filter your results more quickly

Sign up

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2024-4941

Local file inclusion in gradio

High severity GitHub Reviewed Published Jun 6, 2024 to the GitHub Advisory Database • Updated Jun 6, 2024

Affected versions

< 4.31.3

Description

A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio and was discovered in version 4.25. The vulnerability arises from improper input validation in the postprocess() function within gradio/components/json_component.py, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a path key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the /file=… endpoint. This issue is due to the processing_utils.move_files_to_cache() function traversing any object passed to it, looking for a dictionary with a path key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.

References

• https://nvd.nist.gov/vuln/detail/CVE-2024-4941
• gradio-app/gradio@ee1e294
• https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e

Published to the GitHub Advisory Database

Jun 6, 2024