gradio

vulnerable: 0.1.0 ... 2.4.7b9 (163 versions)

Gradio is an open source framework for building interactive machine learning models and demos. In versions prior to 2.5.0 there is a vulnerability that affects anyone who creates and publicly shares Gradio interfaces. File paths are not re…

vulnerable: 0.1.0 ... 2.8.9 (209 versions)

`gradio` is an open source framework for building interactive machine learning models and demos. Prior to version 2.8.11, `gradio` suffers from Improper Neutralization of Formula Elements in a CSV File. The `gradio` library has a flagging …

vulnerable: 0.1.0 ... 3.9.1 (386 versions)

Gradio is an open-source Python library to build machine learning and data science demos and web applications. Versions prior to 3.13.1 contain Use of Hard-coded Credentials. When using Gradio's share links (i.e. creating a Gradio app and …

vulnerable: 0.1.0 ... 3.9.1 (439 versions)

Gradio is an open-source Python library that is used to build machine learning and data science. Due to a lack of path filtering Gradio does not properly restrict file access to users. Additionally Gradio does not properly restrict the wha…

vulnerable: 0.1.0 ... 3.9.1 (428 versions)

Gradio v3.27.0 was discovered to contain an arbitrary file upload vulnerability via the /upload interface.

vulnerable: 0.1.0 ... 4.9.1 (506 versions)

Gradio is an open-source Python package that allows you to quickly build a demo or web application for your machine learning model, API, or any arbitary Python function. Versions of `gradio` prior to 4.11.0 contained a vulnerability in the…

vulnerable: 0.1.0 ... 4.9.1 (509 versions)

Command Injection in GitHub repository gradio-app/gradio prior to main.

A local file include could be remotely triggered in Gradio due to a vulnerable user-supplied JSON value in an API request.

vulnerable: 0.1.0 ... 4.9.1 (505 versions)

An SSRF (Server-Side Request Forgery) vulnerability exists in the gradio-app/gradio repository, allowing attackers to scan and identify open ports within an internal network. By manipulating the 'file' parameter in a GET request, an attack…

vulnerable: 0.1.0 ... 5.0.1 (556 versions)

A vulnerability in the gradio-app/gradio repository, version git 67e4044, allows for path traversal on Windows OS. The implementation of the blocked_path functionality, which is intended to disallow users from reading certain files, is fla…

vulnerable: 0.1.0 ... 4.9.1 (508 versions)

An issue was discovered in gradio-app/gradio, where the `/component_server` endpoint improperly allows the invocation of any method on a `Component` class with attacker-controlled arguments. Specifically, by exploiting the `move_resource_t…

vulnerable: 0.1.0 ... 4.9.1 (516 versions)

A Cross-Site Request Forgery (CSRF) vulnerability in gradio-app/gradio allows attackers to upload multiple large files to a victim's system if they are running Gradio locally. By crafting a malicious HTML page that triggers an unauthorized…

vulnerable: 0.1.0 ... 4.9.1 (508 versions)

gradio-app/gradio is vulnerable to a local file inclusion vulnerability due to improper validation of user-supplied input in the UploadButton component. Attackers can exploit this vulnerability to read arbitrary files on the filesystem, su…

vulnerable: 0.1.0 ... 4.9.1 (516 versions)

A timing attack vulnerability exists in the gradio-app/gradio repository, specifically within the login function in routes.py. The vulnerability arises from the use of a direct comparison operation (`app.auth[username] == password`) to val…

vulnerable: 0.1.0 ... 4.9.1 (513 versions)

An SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the `/proxy` route. Attackers can exploit this vulnerability by manipulating the `self.replica_urls` set through the `X-Direct-Ur…

vulnerable: 0.1.0 ... 4.9.1 (509 versions)

Gradio before 4.20 allows credential leakage on Windows.

vulnerable: 0.1.0 ... 4.9.1 (536 versions)

Gradio v4.36.1 was discovered to contain a code injection vulnerability via the component /gradio/component_meta.py. This vulnerability is triggered via a crafted input. NOTE: the supplier disputes this because the report is about a user a…

vulnerable: 0.1.0 ... 4.9.1 (543 versions)

A Server-Side Request Forgery (SSRF) vulnerability exists in the gradio-app/gradio version 4.21.0, specifically within the `/queue/join` endpoint and the `save_url_to_cache` function. The vulnerability arises when the `path` value, obtaine…

vulnerable: 0.1.0 ... 4.9.1 (545 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is related to **CORS origin validation**, where the Gradio server fails to validate the request origin when a cookie is present. This allows an atta…

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to the **bypass of directory traversal checks** within the `is_in_or_equal` function. This function, intended to check if a file resides wit…

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **CORS origin validation accepting a null origin**. When a Gradio server is deployed locally, the `localhost_aliases` variable includes "…

vulnerable: 0.1.0 ... 4.9.1 (545 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **one-level read path traversal** in the `/custom_component` endpoint. Attackers can exploit this flaw to access and leak source code fro…

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability relates to **Server-Side Request Forgery (SSRF)** in the `/queue/join` endpoint. Gradio’s `async_save_url_to_cache` function allows attackers to f…

vulnerable: 0.1.0 ... 4.9.1 (545 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves data exposure due to the enable_monitoring flag not properly disabling monitoring when set to False. Even when monitoring is supposedly dis…

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability is a **lack of integrity check** on the downloaded FRP client, which could potentially allow attackers to introduce malicious code. If an attacker g…

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This is a **data validation vulnerability** affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can expl…

vulnerable: 0.1.0 ... 4.9.1 (545 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **timing attack** in the way Gradio compares hashes for the `analytics_dashboard` function. Since the comparison is not done in constant …

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves a **race condition** in the `update_root_in_config` function, allowing an attacker to modify the `root` URL used by the Gradio frontend to …

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **insecure communication** between the FRP (Fast Reverse Proxy) client and server when Gradio's `share=True` option is used. HTTPS is not e…

vulnerable: 0.1.0 ... 5.0.0b9 (554 versions)

Gradio is an open-source Python package designed for quick prototyping. This vulnerability involves **Cross-Site Scripting (XSS)** on any Gradio server that allows file uploads. Authenticated users can upload files such as HTML, JavaScript…

vulnerable: 0.1.0 ... 4.9.1 (552 versions)

In gradio <=4.42.0, the gr.DownloadButton function has a hidden server-side request forgery (SSRF) vulnerability. The reason is that within the save_url_to_cache function, there are no restrictions on the URL, which allows access to local …

vulnerable: 0.1.0 ... 4.9.1 (544 versions)

An open redirect vulnerability exists in the gradio-app/gradio, affecting the latest version. The vulnerability allows an attacker to redirect users to arbitrary websites, which can be exploited for phishing attacks, Cross-site Scripting (…

vulnerable: 0.1.0 ... 4.9.1 (527 versions)

A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, wher…

vulnerable: 5.0.0 ... 5.4.0 (6 versions)

Gradio is an open-source Python package designed to enable quick builds of a demo or web application. If File or UploadButton components are used as a part of Gradio application to preview file content, an attacker with access to the appli…

vulnerable: 0.1.0 ... 5.9.1 (568 versions)

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by alteri…

vulnerable: 0.1.0 ... 5.9.1 (601 versions)

Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Prior to version 5.31.0, an arbitrary file copy vulnerability in Gradio's f…

vulnerable: 5.0.0 ... 5.9.1 (46 versions)

A vulnerability classified as problematic has been found in gradio-app gradio up to 5.29.1. This affects the function is_valid_origin of the component CORS Handler. The manipulation of the argument localhost_aliases leads to erweiterte Rec…