CVE-2024-4941

Name of the Vulnerable Software and Affected Versions gradio-app/gradio version 4.25

Description A local file inclusion issue exists due to improper input validation in the postprocess() function within gradio/components/json component.py. This allows a user-controlled string to be parsed as JSON. If the JSON object contains a path key, the specified file is moved to a temporary directory, making it retrievable via the "/file=.." endpoint. The processing utils.move files to cache() function is responsible for this behavior, as it traverses any object passed to it, looking for a dictionary with a path key, and then copies the specified file to a temporary directory. This poses a significant security risk, as it can be exploited by an attacker to read files on the remote system.

Recommendations For gradio-app/gradio version 4.25, consider disabling the postprocess() function within gradio/components/json component.py or restricting the use of the processing utils.move files to cache() function to minimize the risk of exploitation. Avoid using the path key in the JSON object until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.