CVE-2024-39236

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Gradio version 4.36.1

Description A code injection issue was discovered in Gradio via the component /gradio/component meta.py. This issue is triggered by a crafted input. Note that the supplier disputes this report as it involves a user attacking themselves.

Recommendations For Gradio version 4.36.1, consider disabling the component /gradio/component meta.py as a temporary workaround until a patch is available. Restrict access to this component to minimize the risk of exploitation. Avoid using crafted inputs that could trigger this issue until it is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

CVE-2024-39236

GHSA-9V2F-6VCG-3HGV

PYSEC-2024-274

Affected Products

Gradio

CVE-2024-39236

Weakness Enumeration

Related Identifiers

Affected Products

References · 13