CVE-2024-10648

HIGH8.2EPSS 0.25%

Gradio Vulnerable to Arbitrary File Deletion

Published: 3/20/2025Modified: 3/20/2025

Description

A path traversal vulnerability exists in the Gradio Audio component of gradio-app/gradio, as of version git 98cbcae. This vulnerability allows an attacker to control the format of the audio file, leading to arbitrary file content deletion. By manipulating the output format, an attacker can reset any file to an empty file, causing a denial of service (DOS) on the server.

Affected packages (1)

PyPI/gradio>= 4.0.0, <= 5.0.0b2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-10648
PATCHhttps://github.com/gradio-app/gradio
WEBhttps://github.com/gradio-app/gradio/blame/98cbcaef827de7267462ccba180c7b2ffb1e825d/gradio/processing_utils.py#L234
WEBhttps://huntr.com/bounties/667d664d-8189-458c-8ed7-483fe8f33c76