CVE-2024-12217

Name of the Vulnerable Software and Affected Versions gradio-app/gradio version git 67e4044

Description A flaw in the implementation of the blocked path functionality allows for path traversal on Windows OS. The application fails to block access when using NTFS Alternate Data Streams (ADS) syntax, such as 'C:/tmp/secret.txt::$DATA', which can lead to unauthorized reading of blocked file paths.

Recommendations For version git 67e4044, consider disabling the blocked path functionality until a patch is available to prevent path traversal attacks. Restrict access to sensitive files and directories to minimize the risk of exploitation. Avoid using NTFS Alternate Data Streams (ADS) syntax in file paths to prevent bypassing the blocked path functionality.