Description

A local file inclusion vulnerability exists in the JSON component of gradio-app/gradio version 4.25. The vulnerability arises from improper input validation in the `postprocess()` function within `gradio/components/json_component.py`, where a user-controlled string is parsed as JSON. If the parsed JSON object contains a `path` key, the specified file is moved to a temporary directory, making it possible to retrieve it later via the `/file=..` endpoint. This issue is due to the `processing_utils.move_files_to_cache()` function traversing any object passed to it, looking for a dictionary with a `path` key, and then copying the specified file to a temporary directory. The vulnerability can be exploited by an attacker to read files on the remote system, posing a significant security risk.

INFO

Published Date :

2024-06-06T17:55:11.754Z

Last Modified :

2025-10-15T12:49:40.335Z

Source :

@huntr_ai
AFFECTED PRODUCTS

The following products are affected by CVE-2024-4941 vulnerability.

Vendors Products
Gradio Project
  • Gradio
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-4941.

URL Resource
https://github.com/gradio-app/gradio/commit/ee1e2942e0a1ae84a08a05464e41c8108a03fa9c cve-icon cve-icon
https://huntr.com/bounties/39889ce1-298d-4568-aecd-7ae40c2ca58e cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact