GHSA-6v6g-j5fq-hpvw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6v6g-j5fq-hpvw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-6v6g-j5fq-hpvw/GHSA-6v6g-j5fq-hpvw.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-6v6g-j5fq-hpvw
- Aliases
- Published
- 2024-06-06T18:30:58Z
- Modified
- 2025-10-18T07:10:59.346528Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Local file inclusion in gradio
- Details
-
A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio and was discovered in version 4.25. The vulnerability arises from improper input validation in the
postprocess()function withingradio/components/json_component.py, where a user-controlled string is parsed as JSON. If the parsed JSON object contains apathkey, the specified file is moved to a temporary directory, making it possible to retrieve it later via the/file=..endpoint. This issue is due to theprocessing_utils.move_files_to_cache()function traversing any object passed to it, looking for a dictionary with apathkey, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk. - Database specific
{ "github_reviewed_at": "2024-06-06T22:13:47Z", "severity": "HIGH", "cwe_ids": [ "CWE-20", "CWE-22" ], "github_reviewed": true, "nvd_published_at": "2024-06-06T18:15:18Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2024-4941
- https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c
- https://github.com/gradio-app/gradio
- https://github.com/pypa/advisory-database/tree/main/vulns/gradio/PYSEC-2024-184.yaml
- https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e
Affected packages
PyPI / gradio
Package
- Name
- gradio
- View open source insights on deps.dev
- Purl
- pkg:pypi/gradio
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed4.31.3
Affected versions
0.*
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.4.0
0.4.1
0.4.2
0.4.4
0.5.0
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.8.0
0.8.1
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9.2
0.9.9.3
0.9.9.5
0.9.9.6
0.9.9.7
0.9.9.8
0.9.9.9
0.9.9.9.2
1.*
1.0.0a1
1.0.0a3
1.0.0a4
1.0.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.8
1.1.8.1
1.1.9
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.4.0
1.4.2
1.4.3
1.4.4
1.5.0
1.5.1
1.5.3
1.5.4
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.7.0
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
2.*
2.0.0
2.0.1
2.0.2
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.10
2.1.0
2.1.1
2.1.2
2.1.4
2.1.6
2.1.7
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9a0
2.2.9a2
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.3.0a0
2.3.0b99
2.3.0b101
2.3.0b102
2.3.0
2.3.3
2.3.4
2.3.5b0
2.3.5
2.3.6
2.3.7b0
2.3.7b1
2.3.7b2
2.3.7
2.3.8b0
2.3.9
2.4.0a0
2.4.0
2.4.1
2.4.2
2.4.4
2.4.5
2.4.6
2.4.7b0
2.4.7b2
2.4.7b3
2.4.7b4
2.4.7b5
2.4.7b6
2.4.7b7
2.4.7b8
2.4.7b9
2.5.0
2.5.1
2.5.2
2.5.3
2.5.8a0
2.6.0
2.6.1a0
2.6.1b0
2.6.1b3
2.6.1
2.6.2
2.6.3
2.6.4b0
2.6.4b2
2.6.4b3
2.6.4
2.7.0a101
2.7.0a102
2.7.0b70
2.7.0
2.7.5
2.7.5.1
2.7.5.2b0
2.7.5.2
2.8.0a100
2.8.0b0
2.8.0b2
2.8.0b3
2.8.0b4
2.8.0b5
2.8.0b6
2.8.0b10
2.8.0b12
2.8.0b20
2.8.0b22
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.8.13
2.8.14
2.9.0b0
2.9.0b1
2.9.0b2
2.9.0b3
2.9.0b5
2.9.0b6
2.9.0b7
2.9.0b8
2.9.0b9
2.9.0b10
2.9b11
2.9b12
2.9b13
2.9b14
2.9b15
2.9b20
2.9b21
2.9b22
2.9b23
2.9b24
2.9b25
2.9b26
2.9b27
2.9b28
2.9b30
2.9b31
2.9b32
2.9b33
2.9b40
2.9b48
2.9b50
2.9.0
2.9.0.1
2.9.1
2.9.2
2.9.3
2.9.4
3.*
3.0b0
3.0b1
3.0b2
3.0b5
3.0b6
3.0b8
3.0b9
3.0b10
3.0
3.0.1b120
3.0.1b121
3.0.1b300
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6b1
3.0.6b2
3.0.6b3
3.0.6
3.0.7
3.0.8b1
3.0.8
3.0.9b10
3.0.9b11
3.0.9b20
3.0.9
3.0.10b2
3.0.10b16
3.0.10
3.0.11b1
3.0.11
3.0.12
3.0.13b13
3.0.13b15
3.0.13b100
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18b0
3.0.18
3.0.19b0
3.0.19b1
3.0.19b2
3.0.19
3.0.20.dev0
3.0.20
3.0.21
3.0.22
3.0.23.dev1
3.0.23
3.0.24
3.0.25
3.0.26
3.1.0
3.1.1
3.1.2
3.1.3a0
3.1.3a2
3.1.3a3
3.1.3a4
3.1.3a5
3.1.3
3.1.4b0
3.1.4b1
3.1.4b2
3.1.4b3
3.1.4b4
3.1.4b5
3.1.4
3.1.5b1
3.1.5b2
3.1.5b3
3.1.5b4
3.1.5b5
3.1.5b7
3.1.5b8
3.1.5b9
3.1.5b10
3.1.5
3.1.6b1
3.1.6
3.1.7
3.1.8b0
3.1.8b2
3.1.8b3
3.1.8b4
3.1.8b6
3.2
3.2.1b0
3.2.1b1
3.2.1b2
3.3b0
3.3b1
3.3
3.3.1
3.4b0
3.4b1
3.4b2
3.4b3
3.4b5
3.4
3.4.1
3.5
3.6.0b1
3.6.0b2
3.6.0b3
3.6.0b7
3.6.0b10
3.6
3.7
3.8b1
3.8b2
3.8
3.8.1.dev1
3.8.1
3.8.2
3.9
3.9.1
3.10.0
3.10.1
3.11.0
3.12.0b1
3.12.0b2
3.12.0b3
3.12.0b6
3.12.0b7
3.12.0
3.13.0b1
3.13.0
3.13.1b0
3.13.1b1
3.13.1b2
3.13.1
3.13.2
3.14.0a1
3.14.0
3.15.0
3.16.0
3.16.1b1
3.16.1
3.16.2
3.17.0
3.17.1b1
3.17.1b2
3.17.1
3.18.0
3.18.1b1
3.18.1b2
3.18.1b3
3.18.1b4
3.18.1b5
3.18.1b6
3.18.1b7
3.19.0
3.19.1
3.20.0b1
3.20.0b2
3.20.0
3.20.1
3.21.0
3.22.0
3.22.1b1
3.22.1
3.23.0
3.23.1b1
3.23.1b2
3.23.1b3
3.24.0
3.24.1
3.25.0
3.25.1b1
3.25.1b2
3.26.0
3.27.0
3.28.0
3.28.1
3.28.2
3.28.3
3.28.4b0
3.29.0
3.30.0
3.31.0
3.32.0
3.33.0
3.33.1
3.34.0
3.35.0
3.35.1
3.35.2
3.36.0
3.36.1
3.37.0
3.38.0
3.39.0
3.40.0
3.40.1
3.41.0
3.41.1
3.41.2
3.42.0
3.43.0
3.43.1
3.43.2
3.44.0
3.44.1
3.44.2
3.44.3
3.44.4
3.45.0b0
3.45.0b9
3.45.0b10
3.45.0b11
3.45.0b12
3.45.0b13
3.45.0
3.45.1
3.45.2
3.46.0
3.46.1
3.47.0
3.47.1
3.48.0
3.49.0
3.50.0
3.50.1
3.50.2
4.*
4.0.0b15
4.0.0
4.0.1
4.0.2
4.1.0
4.1.1
4.1.2
4.2.0
4.3.0
4.4.0
4.4.1
4.5.0
4.7.0
4.7.1
4.8.0
4.9.0
4.9.1
4.10.0
4.11.0
4.12.0
4.13.0
4.14.0
4.15.0
4.16.0
4.17.0
4.18.0
4.19.0
4.19.1
4.19.2
4.20.0
4.20.1
4.21.0
4.22.0
4.23.0
4.24.0
4.25.0
4.26.0
4.27.0
4.28.0
4.28.1
4.28.2
4.28.3
4.29.0
4.31.0
4.31.1
4.31.2