CVE-2024-47868

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 5.0

Description This issue is a data validation vulnerability affecting several Gradio components, which allows arbitrary file leaks through the post-processing step. Attackers can exploit these components by crafting requests that bypass expected input constraints. This could lead to sensitive files being exposed to unauthorized users, especially when combined with other vulnerabilities. The components most at risk are those that return or handle file data, including String to FileData, Complex data to FileData, Direct file read in preprocess, and Dictionary converted to FileData components. Exploit scenarios include bypassing allowed inputs to download sensitive files or crafting malicious payloads to leak sensitive files from a server.

Recommendations For Gradio versions prior to 5.0, upgrade to the latest version to mitigate this vulnerability. There are no known workarounds for this vulnerability. As a temporary workaround, consider restricting access to vulnerable components, such as DownloadButton, Audio, ImageEditor, Video, Model3D, File, UploadButton, Chatbot, MultimodalTextbox, Code, ParamViewer, and Dataset, until a patch is available. Avoid using these components to handle or return file data until the issue is resolved.