Ifratric

**Name of the Vulnerable Software and Affected Versions** Gradio versions prior to 5.5.0 **Description** The issue allows an attacker with access to the application to abuse File or UploadButton components and read arbitrary files from the application server. This is possible because the `client utils.is file obj with meta` function is not guaranteed to trigger for every input that contains a file path, allowing an attacker to control the path and read files. The vulnerability can be exploited by making a request to the `/gradio api/run/predict` API endpoint with a specially crafted payload. For example, an attacker can send a request with a `path` parameter set to `/etc/passwd` to read the contents of the `/etc/passwd` file. The `processing utils.async move files to cache` function is used to sanitize incoming file paths, but it relies on the `client utils.is file obj with meta` function to filter inputs, which can be bypassed. **Recommendations** For Gradio versions prior to 5.5.0, upgrade to release version 5.5.0 to address the issue. As a temporary workaround, consider restricting access to the `File` and `UploadButton` components to minimize the risk of exploitation. Avoid using the `path` parameter in the affected API endpoint until the issue is resolved.