Platform
python
Component
gradio
Fixed in
4.19.2
4.19.2
CVE-2024-1728 describes an Arbitrary File Access vulnerability within Gradio, a Python library for building user interfaces for machine learning models. This vulnerability allows malicious actors to access files on the server hosting Gradio applications that are exposed via public links, such as those deployed on Hugging Face Spaces. The vulnerability impacts Gradio versions 4.9.1 and earlier, and a patch is available in version 4.19.2 or higher.
The primary impact of CVE-2024-1728 is unauthorized file access. Attackers can intercept and modify network requests made by the Gradio application to the server, enabling them to retrieve sensitive data stored on the host machine. This could include configuration files, API keys, source code, or other confidential information. The potential blast radius is significant, particularly for Gradio applications deployed in public environments like Hugging Face Spaces, as these applications are inherently accessible to a wide range of users. While there is no current evidence of active exploitation, the ease of exploitation makes this a high-priority concern.
CVE-2024-1728 was publicly disclosed on September 25, 2024. There is currently no listing on KEV, and the EPSS score is pending evaluation. While no public proof-of-concept (PoC) code has been released, the vulnerability's ease of exploitation suggests a high likelihood of PoCs emerging. Refer to the official Gradio advisory for further details.
Exploit Status
EPSS
87.95% (99% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-1728 is to upgrade Gradio to version 4.19.2 or higher. This patched version includes fixes to prevent the unauthorized file access. If upgrading is not immediately feasible, consider implementing network-level restrictions to limit access to the Gradio application's file system. WAF rules can be configured to block suspicious requests that attempt to access files outside of the intended application directory. Carefully review and restrict file permissions on the server hosting the Gradio application to minimize the potential impact of a successful exploit. After upgrading, confirm the fix by attempting to access files outside the intended application directory through the Gradio interface; access should be denied.
Actualice la biblioteca gradio a la versión 4.19.2 o superior. Esto corregirá la vulnerabilidad de inclusión de archivos locales. Puede actualizar usando `pip install --upgrade gradio`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-1728 is a HIGH severity vulnerability allowing attackers to access files on the server hosting Gradio applications with public links. It affects versions ≤4.9.1.
Yes, if you are using Gradio version 4.9.1 or earlier and your application is accessible via a public link, you are potentially affected.
Upgrade Gradio to version 4.19.2 or higher to patch the vulnerability. Consider network restrictions and WAF rules as temporary mitigations.
There is currently no confirmed active exploitation, but the ease of exploitation suggests a high likelihood of future attacks.
Refer to the Gradio GitHub repository for the official advisory and patch details: https://github.com/gradio-app/gradio/commit/16fbe9cd0cffa9f2a824a01
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.