CVE-2023-51449

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 4.11.0

Description The issue concerns a vulnerability in the /file route of Gradio, making it susceptible to file traversal attacks. An attacker could access arbitrary files on a machine running a Gradio app with a public URL if they knew the path of files to look for. This was possible through programmatic tools such as curl with the --pass-as-is flag, but not through regular URLs passed into a browser. Additionally, the /file route was vulnerable to Server-Side Request Forgery (SSRF) attacks.

Recommendations For Gradio versions prior to 4.11.0, update to version 4.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the /file route to minimize the risk of exploitation. Avoid using the /file route in Gradio apps until the issue is resolved.