CVE-2024-8966

HIGH7.5EPSS 0.29%

Gradio DOS in multipart boundry while uploading the file

Published: 3/20/2025Modified: 10/16/2025

Description

A vulnerability in the file upload process of gradio-app/gradio version @gradio/[email protected] allows for a Denial of Service (DoS) attack. An attacker can append a large number of characters to the end of a multipart boundary, causing the system to continuously process each character and issue warnings. This can render Gradio inaccessible for extended periods, disrupting services and causing significant downtime.

Affected packages (1)

PyPI/gradiofrom 0, <= 5.22.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-8966
PATCHhttps://github.com/gradio-app/gradio
WEBhttps://github.com/gradio-app/gradio/commit/f1718c47137f9c60240da7afe5e3290aa0f1cb47
WEBhttps://huntr.com/bounties/7b5932bb-58d1-4e71-b85c-43dc40522ff2