Gradio is an open-source Python package designed for quick prototyping. Prior to version 6.7, Gradio apps running on Window with Python 3.13+ are vulnerable to an absolute path traversal issue that enables unauthenticated attackers to read arbitrary files from the file system. Python 3.13+ changed the definition of `os.path.isabs` so that root-relative paths like `/windows/win.ini` on Windows are no longer considered absolute paths, resulting in a vulnerability in Gradio's logic for joining paths safely. This can be exploited by unauthenticated attackers to read arbitrary files from the Gradio server, even when Gradio is set up with authentication. Version 6.7 fixes the issue.
oryginał ENCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NGradio Project Gradio
APPGradio Project< 6.7.0
Powiązane podatności
Code injection w Gradio v4.36.1 via component_meta.py
Command Injection w workflow CI/CD repozytorium Gradio (GitHub Actions)
Path Traversal (LFI) w Gradio poprzez złośliwą wartość JSON w API
Gradio before 6.16.0 contain a path traversal vulnerability in the FileExplorer component's preprocess() metho...
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform...