CVE-2025-23042

Name of the Vulnerable Software and Affected Versions Gradio versions prior to 5.6.0

Description Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path due to the lack of case normalization in the file path validation logic. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected.

Recommendations For Gradio versions prior to 5.6.0, upgrade to version 5.6.0 or later to address the vulnerability. As a temporary workaround, consider normalizing the case of both the requested path and the blocked paths (e.g., convert all paths to lowercase) before evaluating them against the ACL. Restrict access to sensitive files and directories until the issue is resolved.